Bug 1402959
| Summary: | [RFE] Universal Smart Card to Identity mapping | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
| Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> |
| Priority: | high | ||
| Version: | 7.3 | CC: | dkupka, frenaud, ipa-qe, jcholast, jpazdziora, mkosek, nsoman, pvoborni, rcritten, spoore |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-5.el7 | Doc Type: | Enhancement |
| Doc Text: |
IdM supports flexible mapping mechanisms for linking smart card certificates to user accounts
Previously, the only way to find a user account corresponding to a certain smart card in Identity Management (IdM) was to provide the whole smart card certificate as a Base64-encoded DER string. With this update, it is possible to find a user account also by specifying attributes of the smart card certificates, not just the certificate string itself. For example, the administrator can now define matching and mapping rules to link smart card certificates issued by a certain certificate authority (CA) to a user account in IdM.
For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html#sc-one-card-multiple-accounts-links.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:44:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1430675 | ||
| Bug Blocks: | 1399979, 1411849, 1411852, 1411858, 1430653 | ||
|
Description
Petr Vobornik
2016-12-08 18:34:36 UTC
Let me propose a more descriptive name. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6601 Fixed upstream master: https://pagure.io/freeipa/c/27027bbc9cf7faa29c3c94686635559cbcbde98a https://pagure.io/freeipa/c/fba318b83337b71ccb3421690071a130171fbdfe https://pagure.io/freeipa/c/d3700275c1b63aeeab13c7dd9e09249bc2c8e4d7 https://pagure.io/freeipa/c/19426f32ff99feb7c64a4174728cd2b6b946a49a Fixed upstream master: https://pagure.io/freeipa/c/6be32edde0ae16473d4d109747adae78f9d725e4 https://pagure.io/freeipa/c/1d6cc35c03669ea67d9e9ee9ca0ff62401d1b157 https://pagure.io/freeipa/c/358caa7da44c997b505f54ec70cb6be58d188751 https://pagure.io/freeipa/c/61cd4372e142662c06c881886709fe1b573102a9 Fixed upstream master: https://pagure.io/freeipa/c/ea34e17a46a60efb9c4dc81dab919a1639dec73b Fixed upstream master: https://pagure.io/freeipa/c/0298ecf441ba38858d7909b8c3b4cc2b4c4e53c4 Requires additional fixes: Fixed upstream master: https://pagure.io/freeipa/c/ee455f163d756a6b71db8e999365139cad46c6ad https://pagure.io/freeipa/c/8960398a57f69c124ec3105289dc355baa0d5b09 ipa-4-5: https://pagure.io/freeipa/c/8046f9baab1e93b8b8e11d05088c8cdabdd47281 https://pagure.io/freeipa/c/a510a3d7e9f37e89acee84bed2363cb7f57fe88e Previous patchset was missing some configure checks. Fixed upstream master: https://pagure.io/freeipa/c/67e5244cad72bef76de1c4df47a0c77a672fa861 https://pagure.io/freeipa/c/b18ee8b9dd3b1d0cfdc45373a7a56747e1f993a3 ipa-4-5: https://pagure.io/freeipa/c/8be6987da72dff0ebd4e02c946b45b5b1705d880 https://pagure.io/freeipa/c/127f7ce699677d8c689099eac350a54293a5009d Ok, working on Verification and will have to post results in stages. First stage here: Tested with CAC cards with certmaprules and certmapdata successfully for GDM and SU. With SSH we are limited to whole cert only. Following scenarios tested for CAC cards GDM and SU: - card=[cac], certusers=[user1], testuser=user1 -> PASS PASS - worked with whole cert and certmapdata - card=[cac], certusers=[user1, user2], testuser=user1 -> PASS PASS - worked with whole cert and certmapdata - card=[cac], certusers=[user1, user2], testuser=user2 -> PASS PASS - worked with whole cert and certmapdata - card=[cac], certusers=[user1, user2], testuser=user3 -> FAIL PASS - worked with whole cert and certmapdata Also, testing basics with PKCS#15 card with IPA Certs:
[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
Rule name: combined
Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------
[root@dhcp129-184 ~]# ipa user-show scuser107
User login: scuser107
First name: f
Last name: l
Home directory: /home/scuser107
Login shell: /bin/sh
Principal name: scuser107
Principal alias: scuser107
Email address: scuser107
UID: 576400135
GID: 576400135
Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate
Authority<S>O=TESTRELM.TEST,CN=scuser107
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@dhcp129-184 ~]# ipa user-show demosc2
User login: demosc2
First name: demosc2
Last name: demosc2
Home directory: /home/demosc2
Login shell: /bin/sh
Principal name: demosc2
Principal alias: demosc2
Email address: demosc2
UID: 576400132
GID: 576400132
Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate
Authority<S>O=TESTRELM.TEST,CN=scuser107
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@dhcp129-184 ~]# su - demosc1 -c "su - demosc2 -c whoami"
PIN for scuser107 (OpenSC Card) for user demosc2
demosc2
[root@dhcp129-184 ~]# su - demosc1 -c "su - scuser107 -c whoami"
PIN for scuser107 (OpenSC Card) for user scuser107
scuser107
And testing PKCS#15 card with IPA certs revoked (reason=hold):
[root@auto-hv-02-guest08 ~]# ipa cert-revoke 0x64 --revocation-reason=6
Revoked: True
Note these ask for Password, not PIN:
[root@dhcp129-184 ~]# su - demosc1 -c "su - scuser107 -c whoami"
Password:
scuser107
[root@dhcp129-184 ~]# su - demosc1 -c "su - demosc2 -c whoami"
Password:
demosc2
And with Revoke Hold Removed:
[root@dhcp129-184 ~]# ipa cert-remove-hold 0x64
Unrevoked: True
These are asking for PIN as expected:
[root@dhcp129-184 ~]# su - demosc1 -c "su - scuser107 -c whoami"
PIN for scuser107 (OpenSC Card) for user scuser107
scuser107
[root@dhcp129-184 ~]# su - demosc1 -c "su - demosc2 -c whoami"
PIN for scuser107 (OpenSC Card) for user demosc2
demosc2
And with OCSP checking disabled on the client, we are able to still authenticate with the PIN as expected:
[root@dhcp129-184 ~]# grep no_ocsp /etc/sssd/sssd.conf
certificate_verification = no_ocsp
[root@dhcp129-184 ~]# !systemctl
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
[root@dhcp129-184 ~]# ipa cert-revoke 0x64 --revocation-reason=6
Revoked: True
[root@dhcp129-184 ~]# su - demosc1 -c "su - scuser107 -c whoami"
PIN for scuser107 (OpenSC Card) for user scuser107
scuser107
[root@dhcp129-184 ~]# su - demosc1 -c "su - demosc2 -c whoami"
PIN for scuser107 (OpenSC Card) for user demosc2
demosc2
Verified. Note that the mixed IPA and AD User scenario still needs to be resolved in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1445445 Version :: ipa-server-4.5.0-11.el7.x86_64 Results :: See comments above: comment #12 comment #13 comment #14 Also, ########## SSH Tests with Certificate for multiple users ################# ########## SSH requires whole certificate ################################ [root@dhcp129-184 ~]# ipa user-add-cert demosc1 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n') ------------------------------------ Added certificates to user "demosc1" ------------------------------------ User login: demosc1 Certificate: MII... [root@dhcp129-184 ~]# ipa user-add-cert demosc2 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n') ------------------------------------ Added certificates to user "demosc2" ------------------------------------ User login: demosc2 Certificate: MII... [root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt --------------- 2 users matched --------------- Domain: TESTRELM.TEST User logins: demosc1, demosc2 ---------------------------- Number of entries returned 1 ---------------------------- [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc1 $(hostname) whoamiEnter PIN for 'demosc1 (OpenSC Card)': demosc1 [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc2 $(hostname) whoami Enter PIN for 'demosc1 (OpenSC Card)': demosc2 [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc3 $(hostname) whoami no such identity: /root/.ssh/id_ed25519: No such file or directory Password: demosc3 ########## SSH Tests with Revoked Certificate ################# [root@dhcp129-184 ~]# ipa cert-revoke 0x65 --revocation-reason=6 Revoked: True [root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc1 $(hostname) whoamino such identity: /root/.ssh/id_ed25519: No such file or directory Password: demosc1 [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc2 $(hostname) whoami no such identity: /root/.ssh/id_ed25519: No such file or directory Password: demosc2 ########## SSH Tests with Revoke Hold Removed ################# [root@dhcp129-184 ~]# ipa cert-remove-hold 0x65 Unrevoked: True [root@dhcp129-184 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc1 $(hostname) whoami Enter PIN for 'demosc1 (OpenSC Card)': demosc1 [root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc2 $(hostname) whoami Enter PIN for 'demosc1 (OpenSC Card)': demosc2 #### And other test results summarized ##################################################################### # WebUI Test cases from CLIENT with prompt=True ##################################################################### ############# single-user tests ###################################### # 1. card=[1 valid], certusers=[user1], testuser=None -> PASS PASS 2. card=[1 valid], certusers=[user1], testuser=user1 -> PASS PASS 3. card=[1 valid], certusers=[user1], testuser=user2 -> FAIL PASS (Failed as expected) ############# multi-user tests ###################################### # showing sssd and ipa file both users for cert: # [root@auto-hv-02-guest08 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10 # method return sender=:1.786 -> dest=:1.787 reply_serial=2 # array [ # object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131" # object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132" # ] # # [root@auto-hv-02-guest08 testing]# ipa certmap-match demosc1_cert1.crt # --------------- # 2 users matched # --------------- # Domain: TESTRELM.TEST # User logins: demosc1, demosc2 # ---------------------------- # Number of entries returned 1 # ---------------------------- 4. card=[1 valid], certusers=[user1, user2], testuser=None -> FAIL PASS (Failed as expected) 5. card=[1 valid], certusers=[user1, user2], testuser=user1 -> PASS PASS 6. card=[1 valid], certusers=[user1, user2], testuser=user2 -> PASS PASS 7. card=[1 valid], certusers=[user1, user2], testuser=user3 -> FAIL PASS (Failed as expected) ################## promptusername=False # # # [root@auto-hv-02-guest08 testing]# ipa certmapconfig-mod --promptusername=False # Prompt for the username: FALSE # # [root@auto-hv-02-guest08 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd # # [root@auto-hv-02-guest08 testing]# ipa user-remove-certmapdata demosc2 --certificate=$(cat demosc1_cert1.crt|sed '/CERT/d'| tr -d '\r\n') # ------------------------------------------------ # Removed certificate mappings from user "demosc2" # ------------------------------------------------ # User login: demosc2 # # ######### single-user tests # 1. card=[1 valid], certusers=[user1], testuser=None -> PASS PASS 2. card=[1 valid], certusers=[user1], testuser=user1 -> PASS PASS 3. card=[1 valid], certusers=[user1], testuser=user2 -> FAIL PASS (Failed as expected) ######### multi-user tests # 4. card=[1 valid], certusers=[user1, user2], testuser=None -> FAIL PASS (Failed as expected but did not show error...still didn't login) 5. card=[1 valid], certusers=[user1, user2], testuser=user1 -> PASS PASS 6. card=[1 valid], certusers=[user1, user2], testuser=user2 -> PASS PASS 7. card=[1 valid], certusers=[user1, user2], testuser=user3 -> FAIL PASS (Failed as expected) ############################################################# # ipa generated cert ############################################################# - card=[1 valid], certusers=[aduser1], testuser=aduser1 -> PASS GDM: PASS SU: PASS SSH: PASS - card=[1 valid], certusers=[user1, aduser1], testuser=user1 -> PASS FAIL: https://bugzilla.redhat.com/show_bug.cgi?id=1445445 - card=[1 valid], certusers=[user1, aduser1], testuser=aduser1 -> PASS FAIL: https://bugzilla.redhat.com/show_bug.cgi?id=1445445 - card=[1 valid], certusers=[user1, aduser1], testuser=aduser2 -> FAIL CANNOT TEST: https://bugzilla.redhat.com/show_bug.cgi?id=1445445 - card=[1 valid], certusers=[aduser1, aduser2], testuser=aduser1 -> PASS GDM: PASS SU: PASS SSH: PASS - card=[1 valid], certusers=[aduser1, aduser2], testuser=aduser2 -> PASS GDM: PASS SU: PASS SSH: PASS - card=[1 valid], certusers=[aduser1, aduser2], testuser=aduser3 -> FAIL GDM: PASS (Failed as expected) SU: PASS (Failed as expected) SSH: PASS (Failed as expected) Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |