Natxo Asenjo wrote:
> By the way, revoking the certificate does not block applications using
> it from ldap.
> I can still access the ldap server using this cert/key pair *after*
> revoking the certificate using ipa cert-revoke <serialnr>. In order to
> block it I need to remove the seeAlso value of the user account, or the
> certificate attribute.
> I do not know if this is a security issue, but maybe worthwhile
> documenting just in case.

SSL/TLS servers don't automatically check for cert revocation. You need
to add the CRL to the 389-ds NSS database periodically. I don't know for
sure but I don't think 389-ds can use OCSP to validate incoming client
certs. There is an IPA ticket in the backlog to investigate this for the
web and ldap servers:

And yeah, as you discovered, managing the value of CmapLdapAttr is a
poor man's revocation.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to