Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-07 Thread Sumit Bose 
On Mon, Mar 07, 2016 at 09:58:20AM +0100, Natxo Asenjo wrote:
> On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek  wrote:
> 
> > On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> > > Natxo Asenjo wrote:
> > >>
> > >> By the way, revoking the certificate does not block applications using
> > >> it from ldap.
> > >>
> > >> I can still access the ldap server using this cert/key pair *after*
> > >> revoking the certificate using ipa cert-revoke . In order to
> > >> block it I need to remove the seeAlso value of the user account, or the
> > >> certificate attribute.
> > >>
> > >> I do not know if this is a security issue, but maybe worthwhile
> > >> documenting just in case.
> > >
> > > SSL/TLS servers don't automatically check for cert revocation. You need
> > > to add the CRL to the 389-ds NSS database periodically. I don't know for
> > > sure but I don't think 389-ds can use OCSP to validate incoming client
> > > certs. There is an IPA ticket in the backlog to investigate this for the
> > > web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542
> > >
> > > And yeah, as you discovered, managing the value of CmapLdapAttr is a
> > > poor man's revocation.
> >
> > I saved Natxo's contributed article here:
> >
> > http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP
> > for now.
> >
> 
> 
> Thanks!
> 
> 
> > My take on this is that it probably works, but I am curious actually what
> > problem you are solving. Are you interested only in allowing Certificate
> > authentication with FreeIPA LDAP or rather in allowing certificate
> > authentication in your application, whatever are the means?
> >
> 
> both :-). Having name/password combinations in application settings is less
> desirable than having certificate/key paths. I know both accomplish the
> same thing (authenticate to the directory), but having certificates is less
> controversial (no need for third parties to know *that* password that is
> probably being used somewhere else as well, for instance. Having a simple
> way to 'revoke' the access is nice as well.
> 
> 
> 
> > If this is the case, would leveraging SSSD Smart Card/certificate
> > authentication help? At minimum, it can lookup users by certificate:
> >
> > https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
> >
> > With leveraging SSSD, you should be able to avoid manual user mapping in

Yes, but as you can see on the page SSSD currently requires that the whole
certificate is stored in the IPA user entry. But if your applications a
web-based mod_lookup_identity might be what you are looking for
http://www.adelton.com/apache/mod_lookup_identity/ .

> > FreeIPA LDAP. I am not sure though how the revocation would work. CCing
> > Sumit
> > on this one

SSSD itself can use OCSP or CRLs added to the systems NSS database
/etc/pki/nss when the authentication is run through SSSD which means
that SSSD must have access to the Smartcard. For other applications like
e.g. apache revocation must be configured in the application becasue
currently SSSD only checks if a certificate is valid during
authentication but not when the user is looked up by a certificate
because this check might delay the user lookup considerable.
Additionally e.g. in the apache use case the user lookup only happens
after the whole TLS/SSL handshake is finished and authentication is
successful but authentication should only be successful if the
certificate is valid.

bye,
Sumit

> 
> 
> Interesting, I did not know about this possibility of sssd. I need to read
> it through, it might address our needs. Thanks for pointing me to it.
> 
> What in my opinion would be really interesting would be to have something
> similar to the submission port on smtp servers. A different instance of the
> directory where only some kind of authentication are possible.
> 
> Right now when using port 389 I can choose between a combination of SASL
> mechanisms, and if in dse.ldif anonymous auth and minssf are modified, then
> I can force the usage of secure protocols. What I would like is to have a
> way to disable password authentication mechanisms on a ldap port, while
> keeping it enabled on the other. So we could close one port to the outside
> world, and keep it open on the LAN, for instance.
> 
> Is this even possible?
> 
> --
> Groeten,
> natxo

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-07 Thread Natxo Asenjo 
On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek  wrote:

> On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> > Natxo Asenjo wrote:
> >>
> >> By the way, revoking the certificate does not block applications using
> >> it from ldap.
> >>
> >> I can still access the ldap server using this cert/key pair *after*
> >> revoking the certificate using ipa cert-revoke . In order to
> >> block it I need to remove the seeAlso value of the user account, or the
> >> certificate attribute.
> >>
> >> I do not know if this is a security issue, but maybe worthwhile
> >> documenting just in case.
> >
> > SSL/TLS servers don't automatically check for cert revocation. You need
> > to add the CRL to the 389-ds NSS database periodically. I don't know for
> > sure but I don't think 389-ds can use OCSP to validate incoming client
> > certs. There is an IPA ticket in the backlog to investigate this for the
> > web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542
> >
> > And yeah, as you discovered, managing the value of CmapLdapAttr is a
> > poor man's revocation.
>
> I saved Natxo's contributed article here:
>
> http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP
> for now.
>


Thanks!


> My take on this is that it probably works, but I am curious actually what
> problem you are solving. Are you interested only in allowing Certificate
> authentication with FreeIPA LDAP or rather in allowing certificate
> authentication in your application, whatever are the means?
>

both :-). Having name/password combinations in application settings is less
desirable than having certificate/key paths. I know both accomplish the
same thing (authenticate to the directory), but having certificates is less
controversial (no need for third parties to know *that* password that is
probably being used somewhere else as well, for instance. Having a simple
way to 'revoke' the access is nice as well.



> If this is the case, would leveraging SSSD Smart Card/certificate
> authentication help? At minimum, it can lookup users by certificate:
>
> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>
> With leveraging SSSD, you should be able to avoid manual user mapping in
> FreeIPA LDAP. I am not sure though how the revocation would work. CCing
> Sumit
> on this one


Interesting, I did not know about this possibility of sssd. I need to read
it through, it might address our needs. Thanks for pointing me to it.

What in my opinion would be really interesting would be to have something
similar to the submission port on smtp servers. A different instance of the
directory where only some kind of authentication are possible.

Right now when using port 389 I can choose between a combination of SASL
mechanisms, and if in dse.ldif anonymous auth and minssf are modified, then
I can force the usage of secure protocols. What I would like is to have a
way to disable password authentication mechanisms on a ldap port, while
keeping it enabled on the other. So we could close one port to the outside
world, and keep it open on the LAN, for instance.

Is this even possible?

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-07 Thread Martin Kosek 
On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>>
>> By the way, revoking the certificate does not block applications using
>> it from ldap.
>>
>> I can still access the ldap server using this cert/key pair *after*
>> revoking the certificate using ipa cert-revoke . In order to
>> block it I need to remove the seeAlso value of the user account, or the
>> certificate attribute.
>>
>> I do not know if this is a security issue, but maybe worthwhile
>> documenting just in case.
> 
> SSL/TLS servers don't automatically check for cert revocation. You need
> to add the CRL to the 389-ds NSS database periodically. I don't know for
> sure but I don't think 389-ds can use OCSP to validate incoming client
> certs. There is an IPA ticket in the backlog to investigate this for the
> web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542
> 
> And yeah, as you discovered, managing the value of CmapLdapAttr is a
> poor man's revocation.

I saved Natxo's contributed article here:
http://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP
for now.

My take on this is that it probably works, but I am curious actually what
problem you are solving. Are you interested only in allowing Certificate
authentication with FreeIPA LDAP or rather in allowing certificate
authentication in your application, whatever are the means?

If this is the case, would leveraging SSSD Smart Card/certificate
authentication help? At minimum, it can lookup users by certificate:

https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate

With leveraging SSSD, you should be able to avoid manual user mapping in
FreeIPA LDAP. I am not sure though how the revocation would work. CCing Sumit
on this one.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-06 Thread Martin Kosek 
On 03/05/2016 12:08 AM, Natxo Asenjo wrote:
> On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce  wrote:
> 
>> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote:
>>> Natxo Asenjo wrote:
>>
 when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
 with the fedora account I get


   OpenID error

 An error occurred: an invalid token was found.

 Return to Main Page .


 So, sorry, I cannot edit the contribute to the wiki. I will write
 something down in my own wiki and post the link here, search engines
 will index this mailing list posts as well, so this knowledge will not
 go lost.
>>>
>>> It's not just you. I can't login either. I think Martin will need to
>>> poke at this on Monday.
>>
>> I tried this just now and it worked, maybe there was an issue that has
>> since resolved itself ?
>>
> 
> no, same error.
> 
> O well, I have this howto, just copy paste it from my mediawiki (public
> domain):
> 
> https://asenjo.nl/wiki/index.php/Client_certificate_authentication_ipa

I checked and I was also able to log in. I suspect it is a problem with your
browser then, maybe testing it with a clear session would help.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Rob Crittenden 
Natxo Asenjo wrote:
> 
> By the way, revoking the certificate does not block applications using
> it from ldap.
> 
> I can still access the ldap server using this cert/key pair *after*
> revoking the certificate using ipa cert-revoke . In order to
> block it I need to remove the seeAlso value of the user account, or the
> certificate attribute.
> 
> I do not know if this is a security issue, but maybe worthwhile
> documenting just in case.

SSL/TLS servers don't automatically check for cert revocation. You need
to add the CRL to the 389-ds NSS database periodically. I don't know for
sure but I don't think 389-ds can use OCSP to validate incoming client
certs. There is an IPA ticket in the backlog to investigate this for the
web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542

And yeah, as you discovered, managing the value of CmapLdapAttr is a
poor man's revocation.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Natxo Asenjo 
By the way, revoking the certificate does not block applications using it
from ldap.

I can still access the ldap server using this cert/key pair *after*
revoking the certificate using ipa cert-revoke . In order to
block it I need to remove the seeAlso value of the user account, or the
certificate attribute.

I do not know if this is a security issue, but maybe worthwhile documenting
just in case.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Natxo Asenjo 
On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce  wrote:

> On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote:
> > Natxo Asenjo wrote:
>
> > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
> > > with the fedora account I get
> > >
> > >
> > >   OpenID error
> > >
> > > An error occurred: an invalid token was found.
> > >
> > > Return to Main Page .
> > >
> > >
> > > So, sorry, I cannot edit the contribute to the wiki. I will write
> > > something down in my own wiki and post the link here, search engines
> > > will index this mailing list posts as well, so this knowledge will not
> > > go lost.
> >
> > It's not just you. I can't login either. I think Martin will need to
> > poke at this on Monday.
>
> I tried this just now and it worked, maybe there was an issue that has
> since resolved itself ?
>

no, same error.

O well, I have this howto, just copy paste it from my mediawiki (public
domain):

https://asenjo.nl/wiki/index.php/Client_certificate_authentication_ipa

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Simo Sorce 
On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote:
> Natxo Asenjo wrote:
> > 
> > 
> > On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo  > > wrote:
> > 
> > 
> > 
> > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden  > > wrote:
> > 
> > Ah right. Because all the subjects are the same base the same
> > map will
> > be used for both DS and the CA.
> > 
> > Any chance you could write up a HOWTO on this?
> > 
> > 
> > Gladly, but I seem unable to login using my recently created fedora
> > account. I will try later in the evening again.
> > 
> > 
> > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
> > with the fedora account I get
> > 
> > 
> >   OpenID error
> > 
> > An error occurred: an invalid token was found.
> > 
> > Return to Main Page .
> > 
> > 
> > So, sorry, I cannot edit the contribute to the wiki. I will write
> > something down in my own wiki and post the link here, search engines
> > will index this mailing list posts as well, so this knowledge will not
> > go lost.
> 
> It's not just you. I can't login either. I think Martin will need to
> poke at this on Monday.

I tried this just now and it worked, maybe there was an issue that has
since resolved itself ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Rob Crittenden 
Natxo Asenjo wrote:
> 
> 
> On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo  > wrote:
> 
> 
> 
> On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden  > wrote:
> 
> Ah right. Because all the subjects are the same base the same
> map will
> be used for both DS and the CA.
> 
> Any chance you could write up a HOWTO on this?
> 
> 
> Gladly, but I seem unable to login using my recently created fedora
> account. I will try later in the evening again.
> 
> 
> when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login
> with the fedora account I get
> 
> 
>   OpenID error
> 
> An error occurred: an invalid token was found.
> 
> Return to Main Page .
> 
> 
> So, sorry, I cannot edit the contribute to the wiki. I will write
> something down in my own wiki and post the link here, search engines
> will index this mailing list posts as well, so this knowledge will not
> go lost.

It's not just you. I can't login either. I think Martin will need to
poke at this on Monday.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Natxo Asenjo 
On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo  wrote:

>
>
> On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden 
> wrote:
>
>> Ah right. Because all the subjects are the same base the same map will
>> be used for both DS and the CA.
>>
>> Any chance you could write up a HOWTO on this?
>
>
> Gladly, but I seem unable to login using my recently created fedora
> account. I will try later in the evening again.
>
>
when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login with
the fedora account I get

OpenID error

An error occurred: an invalid token was found.

Return to Main Page .


So, sorry, I cannot edit the contribute to the wiki. I will write something
down in my own wiki and post the link here, search engines will index this
mailing list posts as well, so this knowledge will not go lost.


-- 

regards,

natxo

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Natxo Asenjo 
On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden  wrote:

> Ah right. Because all the subjects are the same base the same map will
> be used for both DS and the CA.
>
> Any chance you could write up a HOWTO on this?


Gladly, but I seem unable to login using my recently created fedora
account. I will try later in the evening again.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Rob Crittenden 
Natxo Asenjo wrote:
> hi,
> 
> 
> On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden  > wrote:
> 
> Natxo Asenjo wrote:
> 
>  
> 
> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > additional info: client certificate mapping failed
> >
> > I came accross this page in the 389 wiki:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> >
> > But I am not really sure how to accomplish this.
> >
> > Is this possible in freeipa?
> 
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.
>  
> 
> 
> ok, I got it working  but it took some effort.
> 
> Let's see, in certmap.conf the config is like this out of the box:
> 
> certmap default default
> #default:DNComps
> #default:FilterCompse, uid
> #default:verifycert on
> #default:CmapLdapAttr   certSubjectDN
> #default:library
> #default:InitFn 
> default:DNComps
> default:FilterComps uid
> certmap ipaca   CN=Certificate Authority,O=SUB.DOMAIN.TLD
> ipaca:CmapLdapAttr  seeAlso
> ipaca:verifycerton
>  
> So, there is an additional mapping for ipaca, which is handy. But the
> CmapLdapAttr points to 'seeAlso', and if you change that to
> usercertificate;binary (where the usercertificates are), the tomcat pki
> service will no longer start because
> 
> DN: uid=pkidbuser,ou=people,o=ipaca
> 
> has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD
> 
> so we cannot change te cmapldapattr to something else, but we can add a
> seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD
> . And then it works.

Ah right. Because all the subjects are the same base the same map will
be used for both DS and the CA.

Any chance you could write up a HOWTO on this?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Natxo Asenjo 
hi,


On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>


> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > additional info: client certificate mapping failed
> >
> > I came accross this page in the 389 wiki:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> >
> > But I am not really sure how to accomplish this.
> >
> > Is this possible in freeipa?
>
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.
>
>

ok, I got it working  but it took some effort.

Let's see, in certmap.conf the config is like this out of the box:

certmap default default
#default:DNComps
#default:FilterCompse, uid
#default:verifycert on
#default:CmapLdapAttr   certSubjectDN
#default:library
#default:InitFn 
default:DNComps
default:FilterComps uid
certmap ipaca   CN=Certificate Authority,O=SUB.DOMAIN.TLD
ipaca:CmapLdapAttr  seeAlso
ipaca:verifycerton

So, there is an additional mapping for ipaca, which is handy. But the
CmapLdapAttr points to 'seeAlso', and if you change that to
usercertificate;binary (where the usercertificates are), the tomcat pki
service will no longer start because

DN: uid=pkidbuser,ou=people,o=ipaca

has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD

so we cannot change te cmapldapattr to something else, but we can add a
seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD .
And then it works.

This could be very handy for web applications.

Nice. Thanks for the pointer.

Regards,
Natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-03 Thread Rob Crittenden 
Natxo Asenjo wrote:
> hi,
> 
> I am testing certificate authentication to ipa ldap ( centos 7.2 ).
> 
> I have generated a user certificate following the instructions on
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> 
> After that I modified my $HOME/.ldaprc with these settings:
> 
> TLS_CERT /path/to/user10.pem
> TLS_KEY /path/to/user10.key
> 
> The certificate has this subject:
> $ openssl x509 -in user10.pem -subject -noout
> subject= /O=SUB.DOMAIN.TLD/CN=user10
> 
> Then I try ldapsearch:
> 
> using GSSAPI, ldapsearch works fine:
> ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s
> sub -b dc=sub,dc=domain,dc=tld cn
> 
> 
> # search result
> search: 5
> result: 0 Success
> 
> # numResponses: 1002
> # numEntries: 1001
> 
> Using EXTERNAL, no cookie:
> $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: client certificate mapping failed
> 
> I came accross this page in the 389 wiki:
> 
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> 
> But I am not really sure how to accomplish this.
> 
> Is this possible in freeipa?

I don't see why not. You just need to be able to map the subject of the
cert to a single entry. That's what certmap.conf attempts to do.

Given that the certificate is stored with the user you can probably even
set verifycert to on (this compares the cert in LDAP to the one
presented, it is a poor-man's CRL).

I haven't used certmap.conf in longer than I'd like to admit and it was
usually a pain to setup. It looks like the 389-ds docs are far better
than anything I used in the past so I think it may be fairly easy. Let
the 389-ds access log be your guide to getting the filter and dn comps
right.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project