Natxo Asenjo wrote: > > By the way, revoking the certificate does not block applications using > it from ldap. > > I can still access the ldap server using this cert/key pair *after* > revoking the certificate using ipa cert-revoke <serialnr>. In order to > block it I need to remove the seeAlso value of the user account, or the > certificate attribute. > > I do not know if this is a security issue, but maybe worthwhile > documenting just in case.
SSL/TLS servers don't automatically check for cert revocation. You need to add the CRL to the 389-ds NSS database periodically. I don't know for sure but I don't think 389-ds can use OCSP to validate incoming client certs. There is an IPA ticket in the backlog to investigate this for the web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542 And yeah, as you discovered, managing the value of CmapLdapAttr is a poor man's revocation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project