Bug 2098619
| Summary: | [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexey Tikhonov <atikhono> |
| Component: | sssd | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.6 | CC: | grajaiya, jhrozek, lslebodn, mupadhye, mzidek, pbrezina, sgadekar, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.7.2-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 10:51:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Alexey Tikhonov
2022-06-20 08:15:34 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/6104 * `master` * e83e10652be58e13bf9b2f307f16ff018fbbc9b8 - p11_child: enable more than one CRL PEM file * `sssd-2-7` * 84e3a8d6ac0e0a34588b3d3507d9189dccd971ee - p11_child: enable more than one CRL PEM file Tested with:
[root@ci-vm-10-0-136-149 ~]# rpm -qa sssd
sssd-2.7.2-1.el8.x86_64
Verification steps:
1. Create localuser1 and also create the key and cert for localuser1
2. Setup virtual card and write key/cert to virtual smart card for localuser1
3. cp /opt/test_ca/crl/root.crl /etc/sssd/root1.crl
4. # revoke the cert previously used
openssl ca -config ca.cnf \
-revoke /opt/test_ca/localuser1.crt -keyfile rootCA.key -cert rootCA.crt
openssl ca -config ca.cnf \
-gencrl -out crl/root.crl
# backup crl file for use with sssd
cp /opt/test_ca/crl/root.crl /etc/sssd/root2.crl
5. Write new valid cert for user
6. write cert/key to virtual smartcard
sh -x init_virt_cacard.sh localuser1
# create updated crl
openssl ca -config ca.cnf \
-gencrl -out crl/root.crl
cp /opt/test_ca/crl/root.crl /etc/sssd/root3.crl
7. Update the sssd.conf
certificate_verification = no_ocsp,crl_file=/etc/sssd/root1.crl,crl_file=/etc/sssd/root2.crl,crl_file=/etc/sssd/root3.crl
[root@ci-vm-10-0-136-149 ~]# cat /etc/sssd/sssd.conf
[sssd]
debug_level = 9
services = nss, pam
domains = shadowutils
certificate_verification = no_ocsp,crl_file=/etc/sssd/root1.crl,crl_file=/etc/sssd/root2.crl,crl_file=/etc/sssd/root3.crl
[nss]
debug_level = 9
[pam]
debug_level = 9
pam_cert_auth = True
[domain/shadowutils]
debug_level = 9
id_provider = files
[certmap/shadowutils/localuser1]
matchrule = <SUBJECT>.*CN=localuser1*
8. Check authentication of the user
[root@ci-vm-10-0-136-149 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for localuser1:
localuser1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7739 |