Hi Oli
Thanks a lot
I changed the handler to:
Certificate:
type: ClientX509
user@: connector:auth.connector.userdbX509
role: User
arg: CN
trust_anchor:
realm: ivoc-testNow, I can login again but the role is User (and not RA Operator like defined in /home/pkiadm/userdbX509.yaml) Best Regards Thomas From: Oliver Welter <[email protected]> Sent: Montag, 21. August 2023 13:06 To: [email protected] Subject: Re: [OpenXPKI-users] X509 user database Hi Thomas, looks like there is a migration bug when no default role is set... Option 1: keep the "role" parameter to set a default role Option 2: in OpenXPKI/Server/Authentication/X509.pm, Line 145, replace "$self->default_role();" with by "$self->role()" - that should then assign any user without a role the empty role which is cause a login error. Oli On 21.08.23 08:38, Thomas Gusset wrote: Hi Oliver Thanks for the hint I changed /home/pkiadm/userdbX509.yaml to Thomas Gusset: username: Thomas Gusset role: RA Operator But still no success. I see the following log in openxpki.log: 2023/08/21 08:33:57 ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED; __EVAL_ERROR__ => Attribute (default_role) does not pass the type constraint because: Validation failed for 'Str' with value undef at accessor OpenXPKI::Server::Authentication::X509::default_role (defined at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 44) line 11 OpenXPKI::Server::Authentication::X509::default_role('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)') called at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 145 OpenXPKI::Server::Authentication::X509::_validation_result('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 'HASH(0x561529b95458)') called at /usr/share/perl5/OpenXPKI/Server/Authentication/ClientX509.pm line 46 OpenXPKI::Server::Authentication::ClientX509::handleInput('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 'HASH(0x561529ac7bb8)') called at /usr/share/perl5/OpenXPKI/Server/Authentication.pm line 467 OpenXPKI::Server::Authentication::login_step('OpenXPKI::Server::Authentication=HASH(0x561525e186a0)', 'HASH(0x561529ad93d8)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 802 OpenXPKI::Service::Default::__handle_login('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x561529ad9570)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 495 OpenXPKI::Service::Default::__handle_GET_X509_LOGIN('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x561529ad9570)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 196 eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 193 OpenXPKI::Service::Default::__handle_message('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x5615259e2e18)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 72 eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 71 OpenXPKI::Service::Default::init('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)') called at /usr/share/perl5/OpenXPKI/Server.pm line 531 OpenXPKI::Server::do_process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at /usr/share/perl5/OpenXPKI/Server.pm line 391 eval {...} at /usr/share/perl5/OpenXPKI/Server.pm line 390 OpenXPKI::Server::process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at /usr/share/perl5/Net/Server.pm line 72 Net::Server::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server/Fork.pm line 196 Net::Server::Fork::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server/Fork.pm line 140 Net::Server::Fork::loop('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server.pm line 58 Net::Server::run('OpenXPKI::Server=HASH(0x56152204ba48)', 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 'alias', 'main', 'background', 1, 'socketfile', '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 'proto', 'unix', 'no_client_stdout', 1) called at /usr/share/perl5/Net/Server/MultiType.pm line 78 Net::Server::MultiType::run('OpenXPKI::Server=HASH(0x56152204ba48)', 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 'alias', 'main', 'background', 1, 'socketfile', '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 'proto', 'unix', 'no_client_stdout', 1) called at /usr/share/perl5/OpenXPKI/Server.pm line 123 OpenXPKI::Server::start('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/OpenXPKI/Control.pm line 273 eval {...} at /usr/share/perl5/OpenXPKI/Control.pm line 268 OpenXPKI::Control::start('HASH(0x56151fff74b8)') called at /usr/bin/openxpkictl line 137 , __MESSAGE_NAME__ => GET_X509_LOGIN [pid=37137|sid=/ZBC] Best Regards Thomas From: Oliver Welter <[email protected]><mailto:[email protected]> Sent: Samstag, 19. August 2023 13:24 To: [email protected]<mailto:[email protected]> Subject: Re: [OpenXPKI-users] X509 user database Hi Thomas, I had a quick look at the code and it looks like the docs are incomplete :) The user database must return a value for the "username" attribute so can you please try to add the key "username" into the yaml file and try again. best regards Oliver On 18.08.23 15:09, Thomas Gusset wrote: Hi I try to setup GUI authentication with client certificates. It works fine with this handler: Certificate: type: ClientX509 role: User trust_anchor: realm: <my-realm> I can authenticate, the username is the CN, the role is User Now I would like to have a user database to dynamic assign roles to users. Therefore I changed handler to Certificate: type: ClientX509 user@: connector:auth.connector.userdbX509 arg: CN trust_anchor: realm: <my-realm> and added a connector userdbX509: class: Connector::Proxy::YAML LOCATION: /home/pkiadm/userdbX509.yaml The user database looks like John Doe: role: RA Operator where ‘John Doe’ is the CN of the certificate With this configuration I can no longer authenticate: Unknown error (service default handle message failed) What’s wrong with my configuration? Thanks in advance Thomas NetSec.co AG Thomas Gusset CEO & CTO Im alten Riet 125, 9494 Schaan, Liechtenstein https://netsec.co +423 388 2777 / +423 388 2770 (direkt) [email protected]<mailto:[email protected]> https://threema.id/NK3MJMNP Chat on MS Teams<https://teams.microsoft.com/l/chat/0/[email protected]> _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
