On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:
> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > additional info: client certificate mapping failed
> > I came accross this page in the 389 wiki:
> > But I am not really sure how to accomplish this.
> > Is this possible in freeipa?
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.
ok, I got it working but it took some effort.
Let's see, in certmap.conf the config is like this out of the box:
certmap default default
#default:FilterComps e, uid
#default:InitFn <Init function's name>
certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD
So, there is an additional mapping for ipaca, which is handy. But the
CmapLdapAttr points to 'seeAlso', and if you change that to
usercertificate;binary (where the usercertificates are), the tomcat pki
service will no longer start because
has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD
so we cannot change te cmapldapattr to something else, but we can add a
seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD .
And then it works.
This could be very handy for web applications.
Nice. Thanks for the pointer.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project