Bug 1403194
| Summary: | Rebase mod_auth_gssapi to enable IdM Web UI External Authentication | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | mod_auth_gssapi | Assignee: | Simo Sorce <ssorce> |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | ipa-qe, isenfeld, ksiddiqu, nsoman |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 21:01:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1366572, 1399979 | ||
|
Description
Martin Kosek
2016-12-09 12:01:20 UTC
1.5.1 packages built Verified. Version :: mod_auth_gssapi-1.5.1-2.el7.x86_64 Results :: Tested with bug #1366572 Also, further tested basic access to WebUI for the following scenarios: cert on card with certmapdata for one user cert on card with certmapdata for two users both worked tested with users without certmapdata are not able to login with cert tested with certmapconfig-mod promptusername=True and False Also tested admin user able to login with password and still perform basic WebUI tasks, added user, view data from different areas. [root@auto-hv-02-guest08 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10 method return sender=:1.786 -> dest=:1.787 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131" object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132" ] [root@auto-hv-02-guest08 testing]# ipa certmap-match demosc1_cert1.crt --------------- 2 users matched --------------- Domain: TESTRELM.TEST User logins: demosc1, demosc2 ---------------------------- Number of entries returned 1 ---------------------------- Both demosc1 and demosc2 able to login with cert that the mapdata was created from. rule in place for this testing: [root@auto-hv-02-guest08 testing]# ipa certmaprule-show combined Rule name: combined Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})) Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST Enabled: TRUE And a little more info showing tests from curl: [root@dhcp129-184 ~]# export SSL_DIR=/tmp/nssdb [root@dhcp129-184 ~]# mkdir $SSL_DIR [root@dhcp129-184 ~]# echo "passw0rd" > $SSL_DIR/password [root@dhcp129-184 ~]# certutil -d $SSL_DIR -N -f $SSL_DIR/password [root@dhcp129-184 ~]# modutil -dbdir $SSL_DIR -add smartcard -libfile /usr/lib64/opensc-pkcs11.so <<EOF > > EOF WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "smartcard" added to database. ####################### demosc1 curl test #################################### [root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc1 * About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0) * Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED... * Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0) * Initializing NSS with certpath: sql:/tmp/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST * start date: Mar 31 21:17:28 2017 GMT * expire date: Apr 01 21:17:28 2019 GMT * common name: auto-hv-02-guest08.testrelm.test * issuer: CN=Certificate Authority,O=TESTRELM.TEST > GET /ipa/session/login_x509?username=demosc1 HTTP/1.1 > User-Agent: curl/7.29.0 > Host: auto-hv-02-guest08.testrelm.test > Accept: */* > * skipping SSL peer certificate verification * NSS: using client certificate: demosc1 (OpenSC Card):Certificate * subject: CN=demosc1,O=TESTRELM.TEST * start date: May 05 18:56:31 2017 GMT * expire date: May 06 18:56:31 2019 GMT * common name: demosc1 * issuer: CN=Certificate Authority,O=TESTRELM.TEST < HTTP/1.1 200 Success < Date: Thu, 11 May 2017 16:47:36 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 < IPASESSION: MagBearerToken=B0nKAn%2b7F5Q1HuwDobvHCtG%2bVmu%2bDlvtmPdNFRWyXO4RW6eD%2fdLUlzFN0cx42QVv9zynrJPoTvmfb8i2H52ZG3hxRzZMn5O5iKcjz6h%2fNh3tvCTHL8f%2bXB2zWDH8nPAfMPJGl%2bE2xGiSJ7LfdmxKThVPkHY4H5YWhagBfSXjshRktS97i7A3TIAH%2bCeVU%2fUGXH9KMiDiNNmpTqGbqs77GQ%3d%3d&expiry=1494523056703569 < Set-Cookie: ipa_session=MagBearerToken=B0nKAn%2b7F5Q1HuwDobvHCtG%2bVmu%2bDlvtmPdNFRWyXO4RW6eD%2fdLUlzFN0cx42QVv9zynrJPoTvmfb8i2H52ZG3hxRzZMn5O5iKcjz6h%2fNh3tvCTHL8f%2bXB2zWDH8nPAfMPJGl%2bE2xGiSJ7LfdmxKThVPkHY4H5YWhagBfSXjshRktS97i7A3TIAH%2bCeVU%2fUGXH9KMiDiNNmpTqGbqs77GQ%3d%3d&expiry=1494523056706452;Max-Age=1800;path=/ipa;httponly;secure; < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Cache-Control: no-cache < Content-Length: 0 < Content-Type: text/plain; charset=UTF-8 < * Connection #0 to host auto-hv-02-guest08.testrelm.test left intact ####################### demosc2 curl test #################################### [root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc2 * About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0) * Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED... * Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0) * Initializing NSS with certpath: sql:/tmp/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST * start date: Mar 31 21:17:28 2017 GMT * expire date: Apr 01 21:17:28 2019 GMT * common name: auto-hv-02-guest08.testrelm.test * issuer: CN=Certificate Authority,O=TESTRELM.TEST > GET /ipa/session/login_x509?username=demosc2 HTTP/1.1 > User-Agent: curl/7.29.0 > Host: auto-hv-02-guest08.testrelm.test > Accept: */* > * skipping SSL peer certificate verification * NSS: using client certificate: demosc1 (OpenSC Card):Certificate * subject: CN=demosc1,O=TESTRELM.TEST * start date: May 05 18:56:31 2017 GMT * expire date: May 06 18:56:31 2019 GMT * common name: demosc1 * issuer: CN=Certificate Authority,O=TESTRELM.TEST < HTTP/1.1 200 Success < Date: Thu, 11 May 2017 16:47:42 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 < IPASESSION: MagBearerToken=LDkLq%2bATGD4k5U%2fgK5ZPf2FwEcEJGLB0EJMMjFOxn%2b8sqKeFh84EPm4QP%2fHqYDuJMp%2bJ9IqlqAUTEY%2bc2TdBaWmIiI4EVE%2fAgpW4iAUPFpOLE1o0yCHevisF3DNly5wWqbixmeq7w500%2bNWco1jrVpcrXpi8YQ%2bs4lwznhv3OwJWQGU9%2bNRtJfmpVuVFu5feEnTuro9M8O7bjQsT3dA%2bMg%3d%3d&expiry=1494523062913055 < Set-Cookie: ipa_session=MagBearerToken=LDkLq%2bATGD4k5U%2fgK5ZPf2FwEcEJGLB0EJMMjFOxn%2b8sqKeFh84EPm4QP%2fHqYDuJMp%2bJ9IqlqAUTEY%2bc2TdBaWmIiI4EVE%2fAgpW4iAUPFpOLE1o0yCHevisF3DNly5wWqbixmeq7w500%2bNWco1jrVpcrXpi8YQ%2bs4lwznhv3OwJWQGU9%2bNRtJfmpVuVFu5feEnTuro9M8O7bjQsT3dA%2bMg%3d%3d&expiry=1494523062915844;Max-Age=1800;path=/ipa;httponly;secure; < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Cache-Control: no-cache < Content-Length: 0 < Content-Type: text/plain; charset=UTF-8 < * Connection #0 to host auto-hv-02-guest08.testrelm.test left intact ####################### demosc3 curl test #################################### [root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc3 * About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0) * Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED... * Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0) * Initializing NSS with certpath: sql:/tmp/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST * start date: Mar 31 21:17:28 2017 GMT * expire date: Apr 01 21:17:28 2019 GMT * common name: auto-hv-02-guest08.testrelm.test * issuer: CN=Certificate Authority,O=TESTRELM.TEST > GET /ipa/session/login_x509?username=demosc3 HTTP/1.1 > User-Agent: curl/7.29.0 > Host: auto-hv-02-guest08.testrelm.test > Accept: */* > * skipping SSL peer certificate verification * NSS: using client certificate: demosc1 (OpenSC Card):Certificate * subject: CN=demosc1,O=TESTRELM.TEST * start date: May 05 18:56:31 2017 GMT * expire date: May 06 18:56:31 2019 GMT * common name: demosc1 * issuer: CN=Certificate Authority,O=TESTRELM.TEST < HTTP/1.1 500 Internal Server Error < Date: Thu, 11 May 2017 16:47:45 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 < Set-Cookie: ipa_session=expiry=1494523066173148;Max-Age=1800;path=/ipa;httponly;secure; < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Cache-Control: no-cache < Set-Cookie: ipa_session=expiry=1494523066173148;Max-Age=1800;path=/ipa;httponly;secure; < Content-Length: 527 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.</p> <p>More information about this error may be available in the server error log.</p> </body></html> * Closing connection 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2071 |