hi,
On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <[email protected]> wrote: > Natxo Asenjo wrote: > > > Using EXTERNAL, no cookie: > > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn > > SASL/EXTERNAL authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: client certificate mapping failed > > > > I came accross this page in the 389 wiki: > > > > > http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html > > > > But I am not really sure how to accomplish this. > > > > Is this possible in freeipa? > > I don't see why not. You just need to be able to map the subject of the > cert to a single entry. That's what certmap.conf attempts to do. > > ok, I got it working but it took some effort. Let's see, in certmap.conf the config is like this out of the box: certmap default default #default:DNComps #default:FilterComps e, uid #default:verifycert on #default:CmapLdapAttr certSubjectDN #default:library <path_to_shared_lib_or_dll> #default:InitFn <Init function's name> default:DNComps default:FilterComps uid certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD ipaca:CmapLdapAttr seeAlso ipaca:verifycert on So, there is an additional mapping for ipaca, which is handy. But the CmapLdapAttr points to 'seeAlso', and if you change that to usercertificate;binary (where the usercertificates are), the tomcat pki service will no longer start because DN: uid=pkidbuser,ou=people,o=ipaca has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD so we cannot change te cmapldapattr to something else, but we can add a seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD . And then it works. This could be very handy for web applications. Nice. Thanks for the pointer. Regards, Natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
