Bug 1366572
Summary: | [RFE] Web UI: allow Smart Card authentication | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> | |
Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
Priority: | high | |||
Version: | 7.4 | CC: | afarley, dkupka, ipa-maint, ipa-qe, jpazdziora, ksiddiqu, mbasti, nsoman, pvoborni, pvomacka, rcritten, spoore | |
Target Milestone: | rc | Keywords: | FutureFeature, TechPreview | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.5.0-3.el7 | Doc Type: | Enhancement | |
Doc Text: |
IdM web UI enables smart card login
The Identity Management web UI enables users to log in using smart cards.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sc-web-ui-auth.html.
|
Story Points: | --- | |
Clone Of: | 1317379 | |||
: | 1430655 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:39:54 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1317379, 1343422, 1402820, 1403194 | |||
Bug Blocks: | 1396494, 1399979, 1430655 |
Description
Martin Kosek
2016-08-12 11:17:02 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6225 Fixed upstream master: https://pagure.io/freeipa/c/75c592d3b9081474cae51c929e6af29c7a0eebb6 https://pagure.io/freeipa/c/585547ee9478ea0173106d88d40d7807baab8bcf Fixed upstream master: https://pagure.io/freeipa/c/f4cd61f3011877fc9cc2a809438059b07362b0aa Upstream ticket: https://pagure.io/freeipa/issue/6819 There is an issue which breaks the cert login: comment 7 - #6819. Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/203d5416ce807f5cdcf9e2431feef84d49b3df61 https://pagure.io/freeipa/c/8fde0b88d7c9360e16820d6086eba3e3ca0eee1e master: https://pagure.io/freeipa/c/054f1bd78b04a79f765f524f829b34c0ee252a1b https://pagure.io/freeipa/c/0ba0c0781367d8e2d4affca29e3cf5ab93c4c33a Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/c80941e98bfd00c1c6e530aa4a592354adff8d90 master: https://pagure.io/freeipa/c/7e1fdd2c5881893fd9540689045a11f9e88beef9 Upstream ticket: https://pagure.io/freeipa/issue/6823 Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/aa24ed88006925e6d7e44567b087364b0116db9c master: https://pagure.io/freeipa/c/27d13d90fe9b06618c88bc20b7d6540e6b4d367f Verified. Version :: ipa-server-4.5.0-9.el7.x86_64 Results :: Both with and without certmaprules, I can login to the WebUI with a smart card: notes: [root@auto-hv-02-guest08 ~]# ipa user-show scuser107 User login: scuser107 First name: f Last name: l Home directory: /home/scuser107 Login shell: /bin/sh Principal name: scuser107 Principal alias: scuser107 Email address: scuser107 UID: 576400135 GID: 576400135 Certificate: MIIDrzCCApegAwIBAgIBZDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTAxMTYwNTQ4WhcNMTkwNTAyMTYwNTQ4WjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAlzY3VzZXIxMDcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP7lUSsuSatW94nvERpill68DrkcfGs2Irlvzt81MCheAURuXHnTNiqtyWOeGRH3DcJC+b4QKxKBOf/pNpJ24L+DVuYHu+Fh3xzSm1utWVwbnzagG8Af4m0TdGD01rDdz63Z7nR1R8521GIPIM0oW3czayql1dta9XUEMGg6dRFFAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBTLFsJ1lbOOttE9mqzYy5hK4iJsQDA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUdtRhuXtmo2ad1zWb2Wrmd92McmgwIgYDVR0RBBswGYEXc2N1c2VyMTA3QHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAFiOdOK6WyTWECIyeXxwQlyRLyWbuMpVmp/e08WKy244X56ufwtzhnbgc9n6XR0eMQpkIHw2qLJ7npywJ+d8jq7/QrSG58nXv0fhahDPMBD7ckhpW8qw3/p4W6z8OSrtoO9B8n2Zal7RvsqiGHXVEik/xqj9DDYZHqbHOcvVk73SPO77WZ+uvlHD+XtidIIIcqfJ3Z4Pco/vzhXWVxzSetpqQ7VAqY3VS0ADK+3I6qD2Kf+K7xoNXEoLA/xnoMXKQY4/P/vbvvn94PZV3e+sZwSpDqWNk08Crq1ZFIYww6iCJfcXIlhn4VsyjCV+KdRvuECj5HXiAWwoRUQGgPPES0c= Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@auto-hv-02-guest08 ~]# ipa certmaprule-find ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: combined Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})) Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- It should be noted that there were problems with logging in as different users. I will post that under bug #1430675 though. For the basic purpose of this bug covering WebUI authentication with Smart Cards, it appears to work for this version. Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |