On Wed, Jul 15, 2020 at 11:47 PM Shane Frasier <[email protected]>
wrote:
> Hello,
>
> I am using FreeIPA and I have users who authenticate into our environment
> using their PIV (smartcard) certificates. Everything works great for users
> who happen to be "full" employees, but contractors' certificates never
> match. They authenticate in two ways:
> * Via a call to ipa certmap-match for VPN access.
> * Via kinit.
>
> "Full" employees have certificates issues by:
> OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
> Security,O=U.S. Government,C=US
> Their certificates are issued to, for example:
> CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of
> Homeland Security,O=U.S. Government,C=US
>
> Contractors have certificates issued by:
> OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
> Security,O=U.S. Government,C=US
> Their certificates are issued to, for example:
> CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS
> HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
>
> Note the "(affiliate)" that appears in the contractors' certificates.
>
> I have the usual certificate mapping rule:
> (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
> I also have a simple matching rule:
> <ISSUER>O=U.S. Government
>
> I currently have the following four certificate mapping data entries for
> each user:
> * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
> MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
> * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
> MUSTERMANN (affiliate),UID=0123456789.DHS HQ
> * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS
> HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
> * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS
> HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
>
> After doIng some digging, it looks like sssd is performing this LDAP query:
> ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
> "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
> MUSTERMANN (affiliate),UID=0123456789.DHS
> HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
>
> This query always fails. I believe this is because of the parentheses in
> the subject name because if I manually escape the parentheses surrounding
> "affiliate" as seen below, then the ldapsearch command finds the user:
>
> ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
> "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
> Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
> Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
> MUSTERMANN \(affiliate\),UID=0123456789.DHS
> HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
>
> I brought up this issue in the FreeIPA Users mailing list, and they
> recommended that I post it here too since sssd is what is actually
> generating these LDAP queries. How do I get FreeIPA/sssd to inject those
> escapes into the LDAP query?
>
This is known issue: https://github.com/SSSD/sssd/issues/5135
There is upstream PR to fix this: https://github.com/SSSD/sssd/pull/1036
> Thank you,
> Shane
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
