Bug 1656126
| Summary: | [RFE] add pkinit_cert_match feature | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jacob Hunt <jhunt> |
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> |
| Status: | CLOSED ERRATA | QA Contact: | Filip Dvorak <fdvorak> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | afarley, dpal, jvilicic, rharwood |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | krb5-1.15.1-46.el7 | Doc Type: | Enhancement |
| Doc Text: |
Feature: Filtering of which certificates can be used for PKINIT.
Reason: Allows additional constraints to be imposed, as well as selecting which cert from a group is to be used.
Result: The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:41:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe we would need patches: https://github.com/krb5/krb5/commit/89634ca049e698d7dd2554f5c49bfc499be96188 https://github.com/krb5/krb5/commit/46ff765e1fb8cbec2bb602b43311269e695dbedc For this feature. Jacob *** Bug 1682963 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1029 |
Description of problem: Request to backport the 'pkinit_cert_match' feature from upstream 1.6 version. ~~~ Major changes in 1.16 (2017-12-05) Administrator experience The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. ~~~ Version-Release number of selected component (if applicable): krb-1.15.1-34