4:29 p.m.
Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything works great
for users who happen to be "full" employees, but contractors' certificates
never match.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland
Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of
Homeland Security,O=U.S. Government,C=US
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
Any thoughts as to why the contractors' certificates never match? I assume it has
something to do with the "(affiliate)" that appears in their CN.
Thanks,
Shane Frasier
2:33 a.m.
On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote:
Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything works great
for users who happen to be "full" employees, but contractors' certificates
never match.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland
Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S.
Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department
of Homeland Security,O=U.S. Government,C=US
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS
HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS
HQ,CN=MAX M MUSTERMANN (affiliate)
Any thoughts as to why the contractors' certificates never match? I assume it has
something to do with the "(affiliate)" that appears in their CN.
Hi,
in order to troubleshoot, you can have a look at the LDAP server access
logs (in /var/log/dirsrv/slapd-XXX/access) and find the search operation
that is triggered by the mapping. It will be a SEARCH with a filter
containing (ipacertmapdata=...).
Check that the filter is consistent with what you would expect and
manually try an equivalent search to see if it returns the expected user
entry (with ldapsearch -b $BASE "<filter from the logs>").
More troubleshooting info also available in this blog:
https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between...
flo
Thanks,
Shane Frasier
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:43 a.m.
Hi Flo,
Thanks for the quick response! I have been following your helpful instructions, but we
are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran
sss_cache -E to clear the cache. After that I ran ipa certmap-match against his
certificate. Somehow I still got a match with the correct user name (!), and I got the
following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000):
Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000):
Looking for identity of sender [sssd.ifp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send]
(0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP
Request [Account #15631]: New request. Flags [0x0001].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number
of active DP request: 1
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000):
Domain staging.cool.cyber.dhs.gov is Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000):
Domain staging.cool.cyber.dhs.gov is Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base]
(0x0400): Searching for users with base
[cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000):
Searching 10.128.0.4:389
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS
CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN
(affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uid]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [homeDirectory]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPrincipalName]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUniqueID]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowLastChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMin]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMax]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowWarning]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowInactive]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowExpire]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowFlag]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbLastPwdChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPasswordExpiration]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [pwdAttribute]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [authorizedService]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [nsAccountLock]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [host]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginDisabled]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginExpirationTime]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginAllowedTimeMap]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaSshPubKey]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUserAuthType]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userCertificate;binary]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [mail]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x0080): ldap_search_ext failed: Bad search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040):
Failed to retrieve users [1432158246][Malformed search filter].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000):
releasing operation connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP Request
[Account #15631]: Request handler finished [0]: Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP
Request [Account #15631]: Receiving request data.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP
Request [Account #15631]: Request removed.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP
Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search
filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000):
Dispatching.
Are you able to explain what is going on here? I don't understand how the certificate
is still matching if the user has no certificate or certmap data.
Thanks for your help,
Shane
12:54 p.m.
Shane Frasier via FreeIPA-users wrote:
Hi Flo,
Thanks for the quick response! I have been following your helpful instructions, but we
are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran
sss_cache -E to clear the cache. After that I ran ipa certmap-match against his
certificate. Somehow I still got a match with the correct user name (!), and I got the
following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000):
Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000):
Looking for identity of sender [sssd.ifp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send]
(0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP
Request [Account #15631]: New request. Flags [0x0001].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number
of active DP request: 1
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000):
Domain staging.cool.cyber.dhs.gov is Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000):
Domain staging.cool.cyber.dhs.gov is Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base]
(0x0400): Searching for users with base
[cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000):
Searching 10.128.0.4:389
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS
CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN
(affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uid]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [homeDirectory]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPrincipalName]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUniqueID]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowLastChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMin]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMax]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowWarning]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowInactive]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowExpire]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowFlag]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbLastPwdChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPasswordExpiration]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [pwdAttribute]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [authorizedService]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [nsAccountLock]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [host]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginDisabled]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginExpirationTime]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginAllowedTimeMap]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaSshPubKey]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUserAuthType]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userCertificate;binary]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [mail]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x0080): ldap_search_ext failed: Bad search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040):
Failed to retrieve users [1432158246][Malformed search filter].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000):
releasing operation connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP
Request [Account #15631]: Request handler finished [0]: Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP
Request [Account #15631]: Receiving request data.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP
Request [Account #15631]: Request removed.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP
Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search
filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000):
Dispatching.
Are you able to explain what is going on here? I don't understand how the
certificate is still matching if the user has no certificate or certmap data.
I'll bet it's the parenthesis in the subject causing the bad search
filter and failure to work.
rob
1:07 p.m.
New subject: [EXTERNAL] Re: certmapdata issue
It is....try escaping them \(.
David
-----Original Message-----
From: Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, July 15, 2020 11:54 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Sumit Bose <sbose(a)redhat.com>; Shane Frasier
<maverick(a)maverickdolphin.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: [EXTERNAL] [Freeipa-users] Re: certmapdata issue
Shane Frasier via FreeIPA-users wrote:
Hi Flo,
Thanks for the quick response! I have been following your helpful
instructions, but we are still baffled. Frankly, I am starting to
doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran
sss_cache -E to clear the cache. After that I ran ipa certmap-match against his
certificate. Somehow I still got a match with the correct user name (!), and I got the
following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sbus_method_handler] (0x2000): Received D-Bus method
sssd.dataprovider.getAccountInfo on /sssd
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sbus_senders_lookup] (0x2000): Looking for identity of sender
[sssd.ifp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[dp_get_account_info_send] (0x0200): Got request for
[0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP
Request [Account #15631]: New request. Flags [0x0001].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[dp_attach_req] (0x0400): Number of active DP request: 1
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is
Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is
Active
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_print_server] (0x2000): Searching 10.128.0.4:389
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS
CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN
(affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[homeDirectory]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPrincipalName]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaNTSecurityIdentifier]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowLastChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowWarning]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowInactive]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbLastPwdChange]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[authorizedService]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[accountExpires]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userAccountControl]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[nsAccountLock]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginDisabled]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginExpirationTime]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaUserAuthType]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userCertificate;binary]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad
search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv
failed [1432158246]: Malformed search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040):
Failed to retrieve users [1432158246][Malformed search filter].
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sdap_id_op_done] (0x4000): releasing operation connection
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request
failed: 1432158246
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done]
(0x0400): DP Request [Account #15631]: Request handler finished [0]:
Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP
Request [Account #15631]: Receiving request data.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP
Request [Account #15631]: Request removed.
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[dp_req_destructor] (0x0400): Number of active DP request: 0
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[dp_req_reply_std] (0x1000): DP Request [Account #15631]: Returning
[Internal Error]: 3,1432158246,Malformed search filter
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]]
[sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo:
Success
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000):
Dispatching.
Are you able to explain what is going on here? I don't understand how the
certificate is still matching if the user has no certificate or certmap data.
I'll bet it's the parenthesis in the subject causing the bad search filter and
failure to work.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2:57 p.m.
New subject: [EXTERNAL] Re: certmapdata issue
I tried escaping the parentheses in the user certificate mapping data, but it still fails.
Did you mean to escape the parentheses inside the actual certificate? Or something
else?
I have also noticed that ipa certmap-match does not seem to care very much if I run
sss_cache -E. Is there another cache that I should also be invalidating, perhaps a cache
associated with DBUS?
Thanks,
Shane
4:05 p.m.
New subject: [EXTERNAL] Re: certmapdata issue
If I manually escape the parentheses surrounding "affiliate" as seen below, then
the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
\(affiliate\),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
The problem is that FreeIPA is performing this query when it searches (the parentheses are
not escaped):
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I don't know how to get FreeIPA to inject those escapes, and I have no control over
the content of the certificates on the users' PIVs (smartcards). The smartcards are
given to us by the DHS mothership :(
I hope this makes our issue a little clearer.
Shane
4:07 p.m.
New subject: [EXTERNAL] Re: certmapdata issue
Shane Frasier via FreeIPA-users wrote:
If I manually escape the parentheses surrounding
"affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
\(affiliate\),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
The problem is that FreeIPA is performing this query when it searches (the parentheses
are not escaped):
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I don't know how to get FreeIPA to inject those escapes, and I have no control over
the content of the certificates on the users' PIVs (smartcards). The smartcards are
given to us by the DHS mothership :(
I hope this makes our issue a little clearer.
SSSD is what is making that query. They sometimes read this list but you
may want to bring it up on their list as well to be sure they see it. Or
ideally open a bug.
rob
8:42 a.m.
New subject: [EXTERNAL] Re: certmapdata issue
Thanks for the suggestion Rob! I posted to the sssd-users mailing list and they
responded. Turns out this is a known issue with an existing PR to fix it:
* https://github.com/SSSD/sssd/issues/5135
* https://github.com/SSSD/sssd/pull/1036
I will have to configure FreeIPA to match against full certificates for now, and revert to
using certmap data once that PR is merged.
Posting here just to close the loop, in case anyone else gets bitten by this bug and
stumbles upon this exchange.
Thanks again to everyone for all the assistance!
Shane
11:11 a.m.
Also, to be clear, I should mention that the certmap data is used in two different ways:
1. We perform an ipa certmap-match command from our VPN server to confirm that the
client's certificate is valid
2. The certmap data is used by pkinit when the users kinit using their PIV (smartcard)
credentials
1380
days inactive
1382
days old
freeipa-users@lists.fedorahosted.org
9 comments
4 participants
participants (4)
-
Florence Blanc-Renaud -
Patterson, David -
Rob Crittenden -
Shane Frasier