To summarize the result of log-investigation by Sumit and further tests by me:
sssd 1.16 introduced a LDAP-query for a user node with a specific certificate
and uses the certificate as the search filter. This ldap-query is not
RFC-compliant, but OpenLDAP is, so the query fails, if an OpenLDAP server is
used as the id provider. It may fail with other RFC-compliant LDAP-Servers. It
won't fail with 389-Server as the schema used by this server treats the
userCertificate as a simple octet-string.
sssd uses the certificate as an octet-string to match, but the correct syntax
of the userCertificate attribute in a user-node is defined in RFC 452 and
OpenLDAP delivers a compliant implementation. Here one cannot search for a
certificate by simply giving the octets of the certificate as the
search-filter. One has to extract issuer and serial-number of the certificate
and then search by using a RFC-compliant filter: (userCertificate;binary = {
serialNumber 0x...., issuer='CN=..., O=..., ...' }).
I suggest to introduce a configuration flag rfc452 (or something) for sssd.conf
which should cause sssd to use a RFC-compliant filter.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
