Hello,
Okay. That concludes al of the test cases as successful.
Thank you for your support once again!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
On Mon, Mar 30, 2020 at 02:22:44PM -, Hristina Marosevic wrote:
> Hello,
>
> I successfuly added the CRL list into nssdb. CRL list is in DER format.
> So, I tested the last scenario, which was vaidation of the revoked user
> certificate used for authenticatiion using offline CRL list
Hello,
I successfuly added the CRL list into nssdb. CRL list is in DER format.
So, I tested the last scenario, which was vaidation of the revoked user
certificate used for authenticatiion using offline CRL list instead of using
OCSP. So, just giving info about this:
In the [sssd] section of
On Thu, Mar 26, 2020 at 08:16:31AM -, Hristina Marosevic wrote:
> > On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > glad to hear it is working now. Thanks for your patience.
> >
> > bye,
> > Sumit
>
>
> Hello,
>
> As I was planning, I tried to
> On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
>
> Hi,
>
> glad to hear it is working now. Thanks for your patience.
>
> bye,
> Sumit
Hello,
As I was planning, I tried to login with an expired certificate and the
authentication failed with error:
write(2, "(Wed Mar
On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
> > On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> > path '/home/oracle' is used for the NSS database.
> >
> >
> On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
>
> Hi,
>
> did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> path '/home/oracle' is used for the NSS database.
>
> bye,
> Sumit
Hello,
It was anold configuration - thank you for noticing!
After
On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> > On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > can you send the output of
> >
> > ls -al /etc/pki/nssdb
> >
> > and
> >
> > certutil -L -d /etc/pki/nssdb -h all
> >
> >
> On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
>
> Hi,
>
> please try to add them with
>
> certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
>
> (please note the additional 'T' for 'trusted CA for client
> authentication') and
On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> > On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > can you send the output of
> >
> > ls -al /etc/pki/nssdb
> >
> > and
> >
> > certutil -L -d /etc/pki/nssdb -h all
> >
> >
> On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
>
> Hi,
>
> can you send the output of
>
> ls -al /etc/pki/nssdb
>
> and
>
> certutil -L -d /etc/pki/nssdb -h all
>
> bye,
> Sumit
Hello Sumit,
Somehow, today I didn't get any error when executing certutil
On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > about 'certificate_verification = no_verification', there is an issue
> > which was fixed by
> >
> On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
>
> Hi,
>
> about 'certificate_verification = no_verification', there is an issue
> which was fixed by
> https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
> but the fix is not in the build you are using.
On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
> >
> >
> > Hi,
> >
> > I'm sorry, I haven't read one of your earlier emails carefully enough,
> > please do not use "certificate_verification =
> On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
>
>
> Hi,
>
> I'm sorry, I haven't read one of your earlier emails carefully enough,
> please do not use "certificate_verification = no_ocsp, no_verification"
> but only
>
> certificate_verification = no_verification
On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 09:41:16AM -, Hristina Marosevic wrote:
> >
> >
> > Hi,
> >
> > so p11_child is really called but as you said earlier there are no logs.
> >
> > This might e.g. be a permission issue, please
On Tue, Mar 17, 2020 at 09:41:16AM -, Hristina Marosevic wrote:
> > On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > the file should be in the SSSD log directory, so typically
> > /var/log/sssd/p11_child.log.
> >
> > Since it does not exists, p11_child
> On Thu, Mar 12, 2020 at 4:52 PM Sumit Bose
> log file
> and the records
> were actually stored in parent process log.
>
> Fixed in commit 30d0ccd49
Hello Tomas,
Can you please send me link of the commit?
About the paret p11 log file - I am not sure, which log process is the parent
> On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
>
> Hi,
>
> the file should be in the SSSD log directory, so typically
> /var/log/sssd/p11_child.log.
>
> Since it does not exists, p11_child was not called to validate the
> certificates. In this case sssd_ssh.log is the
On Thu, Mar 12, 2020 at 4:52 PM Sumit Bose wrote:
> Hi,
>
> the file should be in the SSSD log directory, so typically
> /var/log/sssd/p11_child.log.
>
> Since it does not exists, p11_child was not called to validate the
> certificates. In this case sssd_ssh.log is the only source of
>
On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
> > On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > no [pam] is not needed for your use case, access via ssh.
> >
> >
> > This command looks for certificates from a Smartcard connected
> On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
>
> Hi,
>
> no [pam] is not needed for your use case, access via ssh.
>
>
> This command looks for certificates from a Smartcard connected to the
> local system. However p11_child is used to validate the certificates for
>
On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
> Hello,
>
> I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part
> of the sssd configuration and I didn't add the CA certs because the
> certification validation is disabled, but I am getting the same
> On Fri, Mar 06, 2020 at 08:09:59AM -, Hristina Marosevic wrote:
>
> Hi,
>
> this looks like some progress. Please check p11_child.log which might
> contain detail why SSSD thinks the certificate is not valid. By default
> SSSD will check the certificate with the help of the CA certificates
Hello,
I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part
of the sssd configuration and I didn't add the CA certs because the
certification validation is disabled, but I am getting the same error
"certificate is not valid" in the sssd_ssh.log
SSSD version that I am
On Fri, Mar 06, 2020 at 08:09:59AM -, Hristina Marosevic wrote:
> Hello,
>
> I got an error message: "Certificate is not valid"
>
> So, I am not sure what should this mean? Is it because the trust (path to CA
> cert) isn't stored in the sssd configuration? Here I have a root CA and an
>
I added the certificate using the ldapmodify option "read from file" and the
content for the user certificate retrieved by the ldapsearch on the LDAP
server, also the content mapped by SSSD on the sssd client proved that the
format of the user certificate was okay.
What I get in the
I will try this proposal to check if I get the same error when using the binary
format.
I will let you know.
Thank you for your help!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
Hello,
I got an error message: "Certificate is not valid"
So, I am not sure what should this mean? Is it because the trust (path to CA
cert) isn't stored in the sssd configuration? Here I have a root CA and an
intermediate CA.
This can be the only option I can think of, so far because it is
On Thu, Mar 05, 2020 at 02:34:42PM -, Hristina Marosevic wrote:
> Some more info (another prove that sssd does not derive the public key from
> the user certificate):
> /usr/bin/sss_ssh_authorizedkeys IIN321 when I am using only
> userCertificate;binary attribute (with the binary
On Thu, Mar 05, 2020 at 02:24:25PM -, Hristina Marosevic wrote:
> I added the content between -BEGIN CERTIFICATE- and -END
> CERTIFICATE- from the base64 user certificate and during authentication
> in the logs I saw that the user certificate was stored in the user
>
Some more info (another prove that sssd does not derive the public key from the
user certificate):
/usr/bin/sss_ssh_authorizedkeys IIN321 when I am using only
userCertificate;binary attribute (with the binary value of the certificate) is
not giving any output, while when I am using the
On Thu, Mar 05, 2020 at 07:16:45AM -, Hristina Marosevic wrote:
> Hello,
>
> By using ldapmodify command and ldif file as input.
>
> # ldif file:
> dn: uid=321,
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary:
>
I added the content between -BEGIN CERTIFICATE- and -END
CERTIFICATE- from the base64 user certificate and during authentication in
the logs I saw that the user certificate was stored in the user certificate
SSSD option but there was no public key derived.
This time I deleted
So, I am not sure if I should use
userCertificate;binary:: MIIGMT..
in the ldif file.
Also, should I add the -BEGIN CERTIFICATE-/-END CERTIFICATE-
(now I am adding only the content between these lines as a value of the
userCertificate;binary attribute) ? and if yes, should
Thank you for the explanation!
BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hello,
By using ldapmodify command and ldif file as input.
# ldif file:
dn: uid=321,
changetype: modify
add: userCertificate;binary
userCertificate;binary:
On Wed, Mar 04, 2020 at 02:12:30PM -, Hristina Marosevic wrote:
> > On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
> > calling 'sss_ssh_authorizedkeys testUser7' should return
> On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
>
> Hi,
>
> with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
> calling 'sss_ssh_authorizedkeys testUser7' should return the ssh key
> from above. If there is no output I need the SSSD ssh and domain
On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
> Hello,
>
> I forgot to mention the LDAP implementation I am using - it is OUD (Oracle
> Unified Directory). Object class "strongAuthenticationUser" was added to the
> users for PKI based authentication. The mandatory
Hello,
I forgot to mention the LDAP implementation I am using - it is OUD (Oracle
Unified Directory). Object class "strongAuthenticationUser" was added to the
users for PKI based authentication. The mandatory attribute od this object
class is "userCertificate" or "userCertificate;binary" in
On Tue, Mar 03, 2020 at 04:38:16PM -, Hristina Marosevic wrote:
> Hello,
>
> Thank you for information. I can use this options (OCSP URL, trust cert
> location) once I make SSSD derive public keys from user certificate which is
> a problem that I can not solve, so far.
> The default
Hello,
Thank you for information. I can use this options (OCSP URL, trust cert
location) once I make SSSD derive public keys from user certificate which is a
problem that I can not solve, so far.
The default mapping of the user certificate is from userCertificate;binary LDAP
attribute to SSSD
On Wed, Feb 26, 2020, at 4:38 AM, Hristina Marosevic wrote:
> Hello,
>
> I am using SSSD with LDAP directory which provides public keys for each
> user entry to SSSD.
> I am not sure if it is possible to configure SSSD not just to accept
> the private key (provided by the user during the
On Wed, Feb 26, 2020 at 09:38:21AM -, Hristina Marosevic wrote:
> Hello,
>
> I am using SSSD with LDAP directory which provides public keys for each user
> entry to SSSD.
> I am not sure if it is possible to configure SSSD not just to accept the
> private key (provided by the user during
45 matches
Mail list logo
