Hello,
I am using FreeIPA and I have users who authenticate into our environment using
their PIV (smartcard) certificates. Everything works great for users who happen
to be "full" employees, but contractors' certificates never match. They
authenticate in two ways:
* Via a call to ipa certmap-match for VPN access.
* Via kinit.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of
Homeland Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS
HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Note the "(affiliate)" that appears in the contractors' certificates.
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each
user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
After doIng some digging, it looks like sssd is performing this LDAP query:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
This query always fails. I believe this is because of the parentheses in the
subject name because if I manually escape the parentheses surrounding
"affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN \(affiliate\),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I brought up this issue in the FreeIPA Users mailing list, and they recommended
that I post it here too since sssd is what is actually generating these LDAP
queries. How do I get FreeIPA/sssd to inject those escapes into the LDAP query?
Thank you,
Shane
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
