Hi Flo, Thanks for the quick response! I have been following your helpful instructions, but we are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran sss_cache -E to clear the cache. After that I ran ipa certmap-match against his certificate. Somehow I still got a match with the correct user name (!), and I got the following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log: (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ifp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP Request [Account #15631]: New request. Flags [0x0001]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000): Searching 10.128.0.4:389 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040): Failed to retrieve users [1432158246][Malformed search filter]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000): releasing operation connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP Request [Account #15631]: Request handler finished [0]: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP Request [Account #15631]: Receiving request data. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP Request [Account #15631]: Request removed. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000): Dispatching. Are you able to explain what is going on here? I don't understand how the certificate is still matching if the user has no certificate or certmap data. Thanks for your help, Shane _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
