On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote:
Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything works great
for users who happen to be "full" employees, but contractors' certificates
never match.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland
Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department
of Homeland Security,O=U.S. Government,C=US
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS
HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS
HQ,CN=MAX M MUSTERMANN (affiliate)
Any thoughts as to why the contractors' certificates never match? I assume it has
something to do with the "(affiliate)" that appears in their CN.
Hi,
in order to troubleshoot, you can have a look at the LDAP server access
logs (in /var/log/dirsrv/slapd-XXX/access) and find the search operation
that is triggered by the mapping. It will be a SEARCH with a filter
containing (ipacertmapdata=...).
Check that the filter is consistent with what you would expect and
manually try an equivalent search to see if it returns the expected user
entry (with ldapsearch -b $BASE "<filter from the logs>").
More troubleshooting info also available in this blog:
https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between...
flo
Thanks,
Shane Frasier
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...