Hello,
Since I can not find relevant information on web about this I would like to ask
you about my current issue.
Im my SSSD configuration I have two LDAP URIs, one defines as value of ldap_uri
and other defined as value of ldap_backup_uri. These LDAP instances have
different password and
Hello,
Okay. That concludes al of the test cases as successful.
Thank you for your support once again!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello,
I successfuly added the CRL list into nssdb. CRL list is in DER format.
So, I tested the last scenario, which was vaidation of the revoked user
certificate used for authenticatiion using offline CRL list instead of using
OCSP. So, just giving info about this:
In the [sssd] section of
> On Wed, Mar 25, 2020 at 10:49:55AM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> glad to hear it is working now. Thanks for your patience.
>
> bye,
> Sumit
Hello,
As I was planning, I tried to login with an expired certificate and the
authentication failed with er
> On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> path '/home/oracle' is used for the NSS database.
>
> bye,
> Sumit
Hello,
It was anold configuration - th
> On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> please try to add them with
>
> certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
>
> (please note the additional 'T' for
> On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> can you send the output of
>
> ls -al /etc/pki/nssdb
>
> and
>
> certutil -L -d /etc/pki/nssdb -h all
>
> bye,
> Sumit
Hello Sumit,
Somehow, today I di
> On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> about 'certificate_verification = no_verification', there is an issue
> which was fixed by
> https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
> but the fix is not in
> On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote:
>
>
> Hi,
>
> I'm sorry, I haven't read one of your earlier emails carefully enough,
> please do not use "certificate_verification = no_ocsp, no_verification"
> but only
>
> ce
> On Thu, Mar 12, 2020 at 4:52 PM Sumit Bose
> log file
> and the records
> were actually stored in parent process log.
>
> Fixed in commit 30d0ccd49
Hello Tomas,
Can you please send me link of the commit?
About the paret p11 log file - I am not sure, which log process is the parent
> On Thu, Mar 12, 2020 at 03:13:57PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> the file should be in the SSSD log directory, so typically
> /var/log/sssd/p11_child.log.
>
> Since it does not exists, p11_child was not called to validate the
> certificates
> On Fri, Mar 06, 2020 at 12:44:35PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> no [pam] is not needed for your use case, access via ssh.
>
>
> This command looks for certificates from a Smartcard connected to the
> local system. However p11_child is used t
> On Fri, Mar 06, 2020 at 08:09:59AM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> this looks like some progress. Please check p11_child.log which might
> contain detail why SSSD thinks the certificate is not valid. By default
> SSSD will check the certificate with the help o
Hello,
I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part
of the sssd configuration and I didn't add the CA certs because the
certification validation is disabled, but I am getting the same error
"certificate is not valid" in the sssd_ssh.log
SSSD version that I am
I added the certificate using the ldapmodify option "read from file" and the
content for the user certificate retrieved by the ldapsearch on the LDAP
server, also the content mapped by SSSD on the sssd client proved that the
format of the user certificate was okay.
What I get in the
I will try this proposal to check if I get the same error when using the binary
format.
I will let you know.
Thank you for your help!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello,
I got an error message: "Certificate is not valid"
So, I am not sure what should this mean? Is it because the trust (path to CA
cert) isn't stored in the sssd configuration? Here I have a root CA and an
intermediate CA.
This can be the only option I can think of, so far because it is
Some more info (another prove that sssd does not derive the public key from the
user certificate):
/usr/bin/sss_ssh_authorizedkeys IIN321 when I am using only
userCertificate;binary attribute (with the binary value of the certificate) is
not giving any output, while when I am using the
I added the content between -BEGIN CERTIFICATE- and -END
CERTIFICATE- from the base64 user certificate and during authentication in
the logs I saw that the user certificate was stored in the user certificate
SSSD option but there was no public key derived.
This time I deleted
So, I am not sure if I should use
userCertificate;binary:: MIIGMT..
in the ldif file.
Also, should I add the -BEGIN CERTIFICATE-/-END CERTIFICATE-
(now I am adding only the content between these lines as a value of the
userCertificate;binary attribute) ? and if yes, should
Thank you for the explanation!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hello,
By using ldapmodify command and ldif file as input.
# ldif file:
dn: uid=321,
changetype: modify
add: userCertificate;binary
userCertificate;binary:
> On Wed, Mar 04, 2020 at 07:29:14AM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
> calling 'sss_ssh_authorizedkeys testUser7' should return the ssh key
> from above. If there is no output I need th
Hello,
I forgot to mention the LDAP implementation I am using - it is OUD (Oracle
Unified Directory). Object class "strongAuthenticationUser" was added to the
users for PKI based authentication. The mandatory attribute od this object
class is "userCertificate" or "userCertificate;binary" in
Hello,
Thank you for information. I can use this options (OCSP URL, trust cert
location) once I make SSSD derive public keys from user certificate which is a
problem that I can not solve, so far.
The default mapping of the user certificate is from userCertificate;binary LDAP
attribute to SSSD
Hello,
I am using SSSD with LDAP directory which provides public keys for each user
entry to SSSD.
I am not sure if it is possible to configure SSSD not just to accept the
private key (provided by the user during the login) and authenticate the user
from LDAP (where his public ke is stored),
and here is the /etc/pam.d/system-auth file:
(shoud I find the answer of the question "What does your pam auth for session
section look like is sss optional or required?" here?)
- I didn' change this file. Can you give me a quick explanation of its
function?
#%PAM-1.0
# This file is
Hello,
"Look at your sssd.conf, are you caching?" Yes
"What is the time to live?" It should be default, as I didn't change anything
(I don't know the default value)
"What does your pam auth for session section look like is sss optional or
required?" Can you pls tell me where to search for
Hello,
I installed and configured SSSD with LDAP server OUD (Oracle Unified
Directory). Everything works fine so far, except for one thing which I consider
as a vulnerability.
I just found out that there is a potential security hole which is the old
session of a user who lost his
29 matches
Mail list logo
