On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>>
>> By the way, revoking the certificate does not block applications using
>> it from ldap.
>>
>> I can still access the ldap server using this cert/key pair *after*
>> revoking the certificate using ipa cert-revoke <serialnr>. In order to
>> block it I need to remove the seeAlso value of the user account, or the
>> certificate attribute.
>>
>> I do not know if this is a security issue, but maybe worthwhile
>> documenting just in case.
> 
> SSL/TLS servers don't automatically check for cert revocation. You need
> to add the CRL to the 389-ds NSS database periodically. I don't know for
> sure but I don't think 389-ds can use OCSP to validate incoming client
> certs. There is an IPA ticket in the backlog to investigate this for the
> web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542
> 
> And yeah, as you discovered, managing the value of CmapLdapAttr is a
> poor man's revocation.

I saved Natxo's contributed article here:
http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP
for now.

My take on this is that it probably works, but I am curious actually what
problem you are solving. Are you interested only in allowing Certificate
authentication with FreeIPA LDAP or rather in allowing certificate
authentication in your application, whatever are the means?

If this is the case, would leveraging SSSD Smart Card/certificate
authentication help? At minimum, it can lookup users by certificate:

https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate

With leveraging SSSD, you should be able to avoid manual user mapping in
FreeIPA LDAP. I am not sure though how the revocation would work. CCing Sumit
on this one.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to