Verbal cond ACK from CFU:
Minor issue taken care of: commit e5ef4374eae5219a8b5e9a216c1c2ed77fb3e709 Author: Jack Magne <[email protected]> Date: Tue Aug 16 16:58:49 2016 -0700 Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working. Pushed to master, closing ticket #1578 ----- Original Message ----- > From: "John Magne" <[email protected]> > To: "pki-devel" <[email protected]> > Sent: Tuesday, August 16, 2016 5:15:49 PM > Subject: [pki-devel][PATCH] > 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch > > [PATCH] Authentication Instance Id PinDirEnrollment with authType > value as SslclientAuth is not working. > > Ticket #1578 > > The fixing of this problem required the following: > > 1. Hook up a java callback that is designed to allow the selection of a > candidate > client auth cert to be sent to Ldap in the LdapSSLSocket factory object. > > Previously we simply manually set the desired client auth cert nickname, > which is provided > by the console interface when cofiguring the "removePin" portion of the > UidPinDir Authentication method. > > Doing it this way has the benefit of giving us some logging to show when the > actual client auth cert is being > requested by the server. We get to see the list of candidate certs and when > we match one of those with the requested > cert name, established by the console. > > This client auth problem applies ONLY to the connection pool that is used to > remove the pin attribute from > an external authentication directory. > > 2. Previously the code, when setting up client auth for "removePin", would > make one single call to create the SSL socket > to connect to ldap over client auth. Now, based on some code I saw in the JSS > test suite, the socket is constructed in two > steps. Doing this causes things to work. Further investigation down the line > could figure out what is going on at the lower level. > > 3. Was able to test this to work with the reported problem directory server > provided by QE. Note: for pin removal to work, we must also > make sure that the user we authenticating to (through client auth) has the > power to actually remove the pin attribute from various users. > _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
