Hi Oli
Thanks a lot
I changed the handler to:
Certificate:
type: ClientX509
user@: connector:auth.connector.userdbX509
role: User
arg: CN
trust_anchor:
realm: ivoc-test
Now, I can login again but the role is /User/ (and not /RA Operator/
like defined in /home/pkiadm/userdbX509.yaml)
Best Regards
Thomas
*From:*Oliver Welter <[email protected]>
*Sent:* Montag, 21. August 2023 13:06
*To:* [email protected]
*Subject:* Re: [OpenXPKI-users] X509 user database
Hi Thomas,
looks like there is a migration bug when no default role is set...
Option 1: keep the "role" parameter to set a default role
Option 2: in OpenXPKI/Server/Authentication/X509.pm, Line 145, replace
"$self->default_role();" with by "$self->role()" - that should then
assign any user without a role the empty role which is cause a login
error.
Oli
On 21.08.23 08:38, Thomas Gusset wrote:
Hi Oliver
Thanks for the hint
I changed /home/pkiadm/userdbX509.yaml to
Thomas Gusset:
username: Thomas Gusset
role: RA Operator
But still no success. I see the following log in openxpki.log:
2023/08/21 08:33:57 ERROR
I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED;
__EVAL_ERROR__ => Attribute (default_role) does not pass the type
constraint because: Validation failed for 'Str' with value undef
at accessor OpenXPKI::Server::Authentication::X509::default_role
(defined at
/usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 44)
line 11
OpenXPKI::Server::Authentication::X509::default_role('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)')
called at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm
line 145
OpenXPKI::Server::Authentication::X509::_validation_result('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)',
'HASH(0x561529b95458)') called at
/usr/share/perl5/OpenXPKI/Server/Authentication/ClientX509.pm line 46
OpenXPKI::Server::Authentication::ClientX509::handleInput('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)',
'HASH(0x561529ac7bb8)') called at
/usr/share/perl5/OpenXPKI/Server/Authentication.pm line 467
OpenXPKI::Server::Authentication::login_step('OpenXPKI::Server::Authentication=HASH(0x561525e186a0)',
'HASH(0x561529ad93d8)') called at
/usr/share/perl5/OpenXPKI/Service/Default.pm line 802
OpenXPKI::Service::Default::__handle_login('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)',
'HASH(0x561529ad9570)') called at
/usr/share/perl5/OpenXPKI/Service/Default.pm line 495
OpenXPKI::Service::Default::__handle_GET_X509_LOGIN('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)',
'HASH(0x561529ad9570)') called at
/usr/share/perl5/OpenXPKI/Service/Default.pm line 196
eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 193
OpenXPKI::Service::Default::__handle_message('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)',
'HASH(0x5615259e2e18)') called at
/usr/share/perl5/OpenXPKI/Service/Default.pm line 72
eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 71
OpenXPKI::Service::Default::init('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)')
called at /usr/share/perl5/OpenXPKI/Server.pm line 531
OpenXPKI::Server::do_process_request('OpenXPKI::Server=HASH(0x56152204ba48)',
'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at
/usr/share/perl5/OpenXPKI/Server.pm line 391
eval {...} at /usr/share/perl5/OpenXPKI/Server.pm line 390
OpenXPKI::Server::process_request('OpenXPKI::Server=HASH(0x56152204ba48)',
'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at
/usr/share/perl5/Net/Server.pm line 72
Net::Server::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)')
called at /usr/share/perl5/Net/Server/Fork.pm line 196
Net::Server::Fork::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)')
called at /usr/share/perl5/Net/Server/Fork.pm line 140
Net::Server::Fork::loop('OpenXPKI::Server=HASH(0x56152204ba48)')
called at /usr/share/perl5/Net/Server.pm line 58
Net::Server::run('OpenXPKI::Server=HASH(0x56152204ba48)',
'server_type', 'Fork', 'port',
'/var/openxpki/openxpki.socket|unix', 'alias', 'main',
'background', 1, 'socketfile', '/var/openxpki/openxpki.socket',
'process_owner', 106, 'pid_file', '/run/openxpkid.pid',
'socket_owner', 33, 'process_group', 112, 'proto', 'unix',
'no_client_stdout', 1) called at
/usr/share/perl5/Net/Server/MultiType.pm line 78
Net::Server::MultiType::run('OpenXPKI::Server=HASH(0x56152204ba48)',
'server_type', 'Fork', 'port',
'/var/openxpki/openxpki.socket|unix', 'alias', 'main',
'background', 1, 'socketfile', '/var/openxpki/openxpki.socket',
'process_owner', 106, 'pid_file', '/run/openxpkid.pid',
'socket_owner', 33, 'process_group', 112, 'proto', 'unix',
'no_client_stdout', 1) called at
/usr/share/perl5/OpenXPKI/Server.pm line 123
OpenXPKI::Server::start('OpenXPKI::Server=HASH(0x56152204ba48)')
called at /usr/share/perl5/OpenXPKI/Control.pm line 273
eval {...} at /usr/share/perl5/OpenXPKI/Control.pm line 268
OpenXPKI::Control::start('HASH(0x56151fff74b8)') called at
/usr/bin/openxpkictl line 137
, __MESSAGE_NAME__ => GET_X509_LOGIN [pid=37137|sid=/ZBC]
Best Regards
Thomas
*From:*Oliver Welter <[email protected]> <mailto:[email protected]>
*Sent:* Samstag, 19. August 2023 13:24
*To:* [email protected]
*Subject:* Re: [OpenXPKI-users] X509 user database
Hi Thomas,
I had a quick look at the code and it looks like the docs are
incomplete :)
The user database must return a value for the "username" attribute
so can you please try to add the key "username" into the yaml file
and try again.
best regards
Oliver
On 18.08.23 15:09, Thomas Gusset wrote:
Hi
I try to setup GUI authentication with client certificates.
It works fine with this handler:
Certificate:
type: ClientX509
role: User
trust_anchor:
realm: <my-realm>
I can authenticate, the username is the CN, the role is User
Now I would like to have a user database to dynamic assign
roles to users.
Therefore I changed handler to
Certificate:
type: ClientX509
user@: connector:auth.connector.userdbX509
arg: CN
trust_anchor:
realm: <my-realm>
and added a connector
userdbX509:
class: Connector::Proxy::YAML
LOCATION: /home/pkiadm/userdbX509.yaml
The user database looks like
John Doe:
role: RA Operator
where ‘John Doe’ is the CN of the certificate
With this configuration I can no longer authenticate: Unknown
error (service default handle message failed)
What’s wrong with my configuration?
Thanks in advance
Thomas
*NetSec.co AG*
Thomas Gusset
CEO & CTO
Im alten Riet 125, 9494 Schaan, Liechtenstein
https://netsec.co <https://netsec.co>
+423 388 2777 / +423 388 2770 (direkt)
[email protected] <mailto:[email protected]>
https://threema.id/NK3MJMNP <https://threema.id/NK3MJMNP>
Chat on MS Teams
<https://teams.microsoft.com/l/chat/0/[email protected]>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
