Bug 2098619
Summary: | [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexey Tikhonov <atikhono> |
Component: | sssd | Assignee: | Iker Pedrosa <ipedrosa> |
Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.6 | CC: | grajaiya, jhrozek, lslebodn, mupadhye, mzidek, pbrezina, sgadekar, tscherf |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.7.2-1.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-08 10:51:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexey Tikhonov
2022-06-20 08:15:34 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/6104 * `master` * e83e10652be58e13bf9b2f307f16ff018fbbc9b8 - p11_child: enable more than one CRL PEM file * `sssd-2-7` * 84e3a8d6ac0e0a34588b3d3507d9189dccd971ee - p11_child: enable more than one CRL PEM file Tested with: [root@ci-vm-10-0-136-149 ~]# rpm -qa sssd sssd-2.7.2-1.el8.x86_64 Verification steps: 1. Create localuser1 and also create the key and cert for localuser1 2. Setup virtual card and write key/cert to virtual smart card for localuser1 3. cp /opt/test_ca/crl/root.crl /etc/sssd/root1.crl 4. # revoke the cert previously used openssl ca -config ca.cnf \ -revoke /opt/test_ca/localuser1.crt -keyfile rootCA.key -cert rootCA.crt openssl ca -config ca.cnf \ -gencrl -out crl/root.crl # backup crl file for use with sssd cp /opt/test_ca/crl/root.crl /etc/sssd/root2.crl 5. Write new valid cert for user 6. write cert/key to virtual smartcard sh -x init_virt_cacard.sh localuser1 # create updated crl openssl ca -config ca.cnf \ -gencrl -out crl/root.crl cp /opt/test_ca/crl/root.crl /etc/sssd/root3.crl 7. Update the sssd.conf certificate_verification = no_ocsp,crl_file=/etc/sssd/root1.crl,crl_file=/etc/sssd/root2.crl,crl_file=/etc/sssd/root3.crl [root@ci-vm-10-0-136-149 ~]# cat /etc/sssd/sssd.conf [sssd] debug_level = 9 services = nss, pam domains = shadowutils certificate_verification = no_ocsp,crl_file=/etc/sssd/root1.crl,crl_file=/etc/sssd/root2.crl,crl_file=/etc/sssd/root3.crl [nss] debug_level = 9 [pam] debug_level = 9 pam_cert_auth = True [domain/shadowutils] debug_level = 9 id_provider = files [certmap/shadowutils/localuser1] matchrule = <SUBJECT>.*CN=localuser1* 8. Check authentication of the user [root@ci-vm-10-0-136-149 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami' PIN for localuser1: localuser1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7739 |