Clarification about ldap_sasl_authid string from sssd-ldap man page?
by Spike White
sssd professionals,
When the sssd-ldap man page refers to "hostname", is it referring to the
short name or the FQDN?
I know nebiosname is short, with a '$' on the end.
From sssd-ldap man page:
ldap_sasl_authid (string)
Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO
are used, this represents the Kerberos principal used for authentication to
the directory. This option can either contain the full principal
(for example host/myhost(a)EXAMPLE.COM) or just the principal name (for
example host/myhost). By default, the value is not set and the
following principals are used:
hostname@REALM
netbiosname$@REALM
host/hostname@REALM
*$@REALM
host/*@REALM
host/*
If none of them are found, the first principal in keytab is
returned.
Default: host/hostname@REALM
Spike White
1 day, 1 hour
Re: [Freeipa-users] SSSD OCSP verfification failed
by Rob Crittenden
Cross posting this to sssd-users.
rob
Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote:
> Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD.
> The OCSP responder CA is not in the trust chain of the CA that issued
> the smart card certificates. I was able to get openssl ocsp
> verification to work using -verify_other and -trust_other options.
>
> [root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem
> -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem
> -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text
> WARNING: no nonce in response
> Response verify OK
> /home/alvareza/alvarez.pem: good
> This Update: May 9 00:00:00 2024 GMT
> Next Update: May 15 06:16:18 2024 GMT
>
>
>
> I tried to perform OCSP verification with the SSSD p11_child helper, but
> it does not work. Does anyone know if the Direct Trust model for OCSP
> works with RHEL 8 SSSD?
> [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1
> --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22
> --debug-level=9 --verification --verify
> ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx
> --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat
> /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n")
> set_debug_file_from_fd failed.
> (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child
> started.
> (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in
> [verify] mode.
> (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running
> with effective IDs: [0][0].
> (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running
> with real IDs [0][0].
> (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
> (0x4000): Using sha1 for OCSP.
> (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts]
> (0x4000): Using OCSP default responder
> [http://repeater1.prlh.nadsuswe.nads.navy.mil]
> (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using
> OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil].
> (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce
> in OCSP response. This might indicate a replay attack or an OCSP
> responder which does not support nonces. Accepting response.
> (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020):
> OCSP_basic_verify() failed to verify OCSP response.
> (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040):
> do_ocsp failed.
> (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400):
> Certificate is NOT valid.
> 22
> (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child
> failed (22)
>
>
>
> v/r
>
>
>
> Angelo Alvarez, CISSP
>
> N6
>
> Joint Typhoon Warning Center
>
> Work: 808.471.3645
>
> Mobile: 808.389.9474
>
> Email: angelo.alvarez(a)navy.mil <mailto:angelo.alvarez@navy.mil>
>
> SiPR Email: angelo.alvarez(a)navy.smil.mil
> <mailto:angelo.alvarez@navy.smil.mil>
>
>
>
> !No contaban on mi astucia! El Chapulin Colorado
>
>
>
>
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
1 week, 4 days