[Freeipa-users] Re: certmapdata issue

[Florence Blanc-Renaud via FreeIPA-users]

On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote:
Hello,
I have users who kinit using their PIV (smartcard) certificates.  Everything works great 
for users who happen to be "full" employees, but contractors' certificates 
never match.

"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland 
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of 
Homeland Security,O=U.S. Government,C=US

Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland 
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS 
HQ,OU=Department of Homeland Security,O=U.S. Government,C=US

I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government

I currently have the following four certificate mapping data entries for each 
user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification 
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland 
Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification 
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland 
Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification 
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland 
Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification 
Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland 
Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)

Any thoughts as to why the contractors' certificates never match?  I assume it has 
something to do with the "(affiliate)" that appears in their CN.

Hi,

in order to troubleshoot, you can have a look at the LDAP server access 
logs (in /var/log/dirsrv/slapd-XXX/access) and find the search operation 
that is triggered by the mapping. It will be a SEARCH with a filter 
containing (ipacertmapdata=...).

Check that the filter is consistent with what you would expect and 
manually try an equivalent search to see if it returns the expected user 
entry (with ldapsearch -b $BASE "<filter from the logs>").

More troubleshooting info also available in this blog:
https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between-a-smartcard-certificate-and-an-idm-user/

flo

Thanks,
Shane Frasier
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org