1163922 – Please backport changes to make the LDAP mapper more flexible

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1163922 - Please backport changes to make the LDAP mapper more flexible

Summary: Please backport changes to make the LDAP mapper more flexible

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pam_pkcs11
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-13 17:19 UTC by Nalin Dahyabhai
Modified:	2015-11-19 13:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pam_pkcs11-0.6.2-21.el7
Doc Type:	Enhancement
Doc Text:	Previously, when using LDAP to map a user certificate to a user ID, the pam_pkcs11 module requested a list of all certificates and IDs from the LDAP server and filtered this list, instead of using LDAP filtering. This approach caused performance problems on both the client and the server, and limited the ways LDAP could be used to map certificates. With this update, the querying algorithm for pam_pkcs11 has been improved and obtaining entire lists of certificates and IDs is no longer necessary. Logins using this module are now faster and require less resources, and pam_pkcs11 users now have more flexibility in using LDAP to map a certificate to a user ID.
Clone Of:
Environment:
Last Closed:	2015-11-19 13:01:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:2415	0	normal	SHIPPED_LIVE	pam_pkcs11 enhancement update	2015-11-19 11:23:41 UTC

Description Nalin Dahyabhai 2014-11-13 17:19:55 UTC

Upstream pam_pkcs11's accepted changes (https://github.com/OpenSC/pam_pkcs11/commit/c7f4a9a6dda7dc10287f489d9cba1b39e852cbeb and multiple cleanups after it) to make the LDAP mapper more flexible (including the change described in bug #606952, which the "uid_attribute" setting lets us do), and I think we have use for them in RHEL.

Comment 1 Bob Relyea 2015-07-07 03:24:22 UTC

fixed in pam_pkcs11-0.6.2-21.el7

Comment 3 Roshni 2015-08-31 16:18:47 UTC

Bob,

Could you provide the tests that needs to be done to verify this bug?

Comment 4 Bob Relyea 2015-09-03 16:45:33 UTC

Unfortunately I don't have any test cases. I just did the backport. Nalin, do you have any tests?

Comment 5 Nalin Dahyabhai 2015-09-03 19:59:51 UTC

Nothing automated, unfortunately.  It's been a while, but I'd have used pklogin_finder and a card containing a certificate whose contents I could easily reissue with different contents, and combined it with an IPA server.

I probably used "local-getcert request" with the -F flag to generate the certificate and a CA certificate, either pk12util or openssl's pkcs12 command to export the key and certificate into a PKCS#12 bundle, and OpenSC's pkcs15-init's --store-private-key option to dump the private key and certificate onto the card.

The IPA server would contain a user account whose entry's DN, recorded full name, IPA user name, recorded email address, and Kerberos principal name I'd specified when creating the certificate, and the user entry would have been modified to add the 'pkiUser' object class so that the newly-generated certificate could be set as its userCertificate value.

After that, it should have been pretty straightforward to cycle through the various matching options that we're adding to pam_pkcs11's ldap mapper.

Comment 6 Roshni 2015-09-09 19:38:26 UTC

[root@dhcp129-45 rpattath]# rpm -qi pam_pkcs11
Name        : pam_pkcs11
Version     : 0.6.2
Release     : 23.el7
Architecture: x86_64
Install Date: Wed 09 Sep 2015 02:00:29 PM EDT
Group       : System Environment/Base
Size        : 1104350
License     : LGPLv2+
Signature   : RSA/SHA256, Tue 01 Sep 2015 11:31:12 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pam_pkcs11-0.6.2-23.el7.src.rpm
Build Date  : Mon 31 Aug 2015 08:45:08 PM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.opensc-project.org/pam_pkcs11
Summary     : PKCS #11/NSS PAM login module

Verification steps:

1. Make the following changes to /etc/pam_pkcs11/pam_pkcs11.conf

use_mappers = ldap;

# Directory ( ldap style ) mapper
  mapper ldap {
        debug = true;
        module = /usr/$LIB/pam_pkcs11/ldap_mapper.so;
        # where base directory resides
        basedir = /etc/pam_pkcs11/mapdir;
        # hostname of ldap server
        ldaphost = "yttrium.idmqe.lab.eng.bos.redhat.com";
        # Port on ldap server to connect
        ldapport = 1603;
        # Scope of search: 0 = x, 1 = y, 2 = z
        scope = 2;
        # DN to bind with. Must have read-access for user entries under "base"
        binddn = "cn=Directory Manager";
        # Password for above DN
        passwd = "Secret123";
        # Searchbase for user entries
        base = "ou=People,dc=pki-tps1";
        # Attribute of user entry which contains the certificate
        attribute = "userCertificate";
        # Searchfilter for user entry. Must only let pass user entry for the login user.
        filter = "(&(objectClass=posixAccount)(uid=%s))"
        uid_attribute = "uid";
        attribute_map = "uid=uid&mail=email", "redhatPrincipalName=upn", "userCertificate;binary=cert";
  }

2. Insert a smartcard enrolled with a kerberos user.

dn: uid=kdcuser2,ou=People,dc=pki-tps1
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: redhatKerberosUser
objectClass: posixAccount
cn: kdcuser2
sn: KDCUser
description: this is the description of kdcuser2
telephoneNumber: This the telephoneNumber of kdcuser2
businessCategory: This the businessCategory of kdcuser2
carLicense: This the carLicense of kdcuser2
departmentNumber: This the departmentNumber of kdcuser2
displayName: KDC User
employeeNumber: This the employeeNumber of kdcuser2
employeeType: This the employeeType of kdcuser2
givenName: GivenName
homePhone: This the homePhone of kdcuser2
homePostalAddress: This the homePostalAddress of kdcuser2
initials: This the initials of kdcuser2
labeledURI: This the labeledURL of kdcuser2
mail: rpattath
mobile: This the mobile of kdcuser2
o: This the o of kdcuser2
pager: This the pager of kdcuser2
preferredLanguage: This the preferredLanguage of kdcuser2
roomNumber: This the roomNumber of kdcuser2
uid: kdcuser2
userSMIMECertificate: This the userSMIMECertificate of kdcuser2
redhatPrincipalName: kdcuser2
uidNumber: 1001
gidNumber: 1000
loginShell: /bin/sh
homeDirectory: /home/kdcuser2
userPassword:: e1NTSEF9YVpVa1c5RkZ3UnB6ajFJeC9tVEtxcnNyVkRVWkNRc3Byd0I4ckE9PQ=
 =
userCertificate;binary:: MIID9jCCAt6gAwIBAgIBOjANBgkqhkiG9w0BAQsFADBYMTUwMwYDV
 QQKDCxpZG1xZS5sYWIuZW5nLmJvcy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAw
 wWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNTA5MDkxODQwMTZaFw0yMDA5MDcxODQwMTZaMDM
 xFzAVBgNVBAoMDlRva2VuIEtleSBVc2VyMRgwFgYKCZImiZPyLGQBAQwIa2RjdXNlcjIwgZ8wDQYJ
 KoZIhvcNAQEBBQADgY0AMIGJAoGBAIxF7FWEeCGBph/9D7Z7gsFH3gQAgc4BPkRGl/FJgM+StxChy
 RUk+zfDNXnWLOAs1t2sZvqUEcR4GnvsRqRG57CO9ks1seJQy7dj2+4ChQs8SpRrJ/V/LuQM+Xfc9s
 2bhj0osWoxr2TZXpbwh9BXMZJje9K/EiDB5cX9UPeMVSbtAgMBAAGjggFyMIIBbjAOBgNVHQ8BAf8
 EBAMCBsAwgYUGA1UdEQR+MHyBE3JwYXR0YXRoQHJlZGhhdC5jb22gJAYKKwYBBAGCNxQCA6AWDBRr
 ZGN1c2VyMkBFWEFNUExFLkNPTaA/BgYrBgEFAgKgNTAzoA0bC0VYQU1QTEUuQ09NoSIwIKADAgEBo
 RkwFxsIa2RjdXNlcjIbC0VYQU1QTEUuQ09NMB0GA1UdDgQWBBTLLVbh9rTYVyQCUv/GP3fA76X8Bz
 AfBgNVHSMEGDAWgBSprEnWriPbYG15LDE8qnQ2YmoTATAJBgNVHRMEAjAAMFQGCCsGAQUFBwEBBEg
 wRjBEBggrBgEFBQcwAYY4aHR0cDovL3l0dHJpdW0uaWRtcWUubGFiLmVuZy5ib3MucmVkaGF0LmNv
 bTo4MDgwL2NhL29jc3AwMwYDVR0lBCwwKgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBAYKK
 wYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCAQEAiYl2gxEEHFKOeyYtCnMammJAgBjBgaob+ktigd
 zaj370H5HKYks7eDs6CSffbjMBY+Qv8J+nZ3xkqZ7nVUcn6DCBfPzUd2JmFoLL24JAC16IfoRJQmp
 KR/xCcAif+LOIgFrNhmmWr1dIk7myChbWCS55U9RZZFHNdASpydPnFRfy5CmxW7tu3EaBKxiIva6o
 X2nuV0yU722eprwX/NmKwdU61oQ8WBEvUHH5sbQpNHRsxNt+RNmdVYNzq01VPX6npxYbpNDLGj7Ot
 M4zDfae/sV9aTXdLIZ6uxYJsztp6RgsNZiKEwXCsteMKPSLEuxdTkhd5wVfEcxvQ2/hmnqBZQ==

3. Import and trust the issuing CA cert under /etc/pki/nssdb

4. Run pklogin_finder

[root@dhcp129-45 rpattath]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x1e386f0 next = 0x1e441f0
 
DEBUG:pkcs11_lib.c:239: dllName= <null>
 
DEBUG:pkcs11_lib.c:238: modList = 0x1e441f0 next = 0x0
 
DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
 
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1603
DEBUG:ldap_mapper.c:1179: ldapURI       =
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email
DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email
DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   =
DEBUG:ldap_mapper.c:1198: tls_cert      =
DEBUG:ldap_mapper.c:1199: tls_key       =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'uid=uid&mail=email'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'uid=uid&mail=email'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'uid'='uid'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'mail'='email'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(&(uid=kdcuser2)(mail=rpattath)))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

Some additional tests:

1. Make the following changes to pam_pkcs11.conf

attribute_map = "redhatPrincipalName=upn", "userCertificate;binary=cert";

[root@dhcp129-45 rpattath]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x1d876a0 next = 0x1d931d0
 
DEBUG:pkcs11_lib.c:239: dllName= <null>
 
DEBUG:pkcs11_lib.c:238: modList = 0x1d931d0 next = 0x0
 
DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
 
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1603
DEBUG:ldap_mapper.c:1179: ldapURI       =
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = redhatPrincipalName=upn
DEBUG:ldap_mapper.c:1187: attribute_map = redhatPrincipalName=upn
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   =
DEBUG:ldap_mapper.c:1198: tls_cert      =
DEBUG:ldap_mapper.c:1199: tls_key       =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'redhatPrincipalName=upn'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'redhatPrincipalName=upn'
DEBUG:cert_info.c:143: Looking for ALT_NAME
DEBUG:cert_info.c:182: not other name...
DEBUG:cert_info.c:167: got other name with tag 0x13e
DEBUG:cert_info.c:175: Got upn: kdcuser2
DEBUG:cert_info.c:167: got other name with tag 0
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'redhatPrincipalName'='upn'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(redhatPrincipalName=kdcuser2))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

2.  Make the following changes to pam_pkcs11.conf

attribute_map = "userCertificate;binary=cert";

The signing cert on the smartcard should be added to the ldap user entry.

[root@dhcp129-45 rpattath]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0xb9f670 next = 0xbab170
 
DEBUG:pkcs11_lib.c:239: dllName= <null>
 
DEBUG:pkcs11_lib.c:238: modList = 0xbab170 next = 0x0
 
DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
 
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1603
DEBUG:ldap_mapper.c:1179: ldapURI       =
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = userCertificate;binary=cert
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   =
DEBUG:ldap_mapper.c:1198: tls_cert      =
DEBUG:ldap_mapper.c:1199: tls_key       =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'userCertificate;binary=cert'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'userCertificate;binary=cert'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'userCertificate;binary'='cert'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(userCertificate;binary=0\82\03\f60\82\02\de\a0\03\02\01\02\02\01\3a0\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\000X1503\06\03U\04\0a\0c\2cidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\20Security\20Domain1\1f0\1d\06\03U\04\03\0c\16CA\20Signing\20Certificate0\1e\17\0d150909184016Z\17\0d200907184016Z031\170\15\06\03U\04\0a\0c\0eToken\20Key\20User1\180\16\06\0a\09\92\26\89\93\f2\2cd\01\01\0c\08kdcuser20\81\9f0\0d\06\09\2a\86H\86\f7\0d\01\01\01\05\00\03\81\8d\000\81\89\02\81\81\00\8cE\ecU\84x\21\81\a6\1f\fd\0f\b6\7b\82\c1G\de\04\00\81\ce\01\3eDF\97\f1I\80\cf\92\b7\10\a1\c9\15\24\fb7\c35y\d6\2c\e0\2c\d6\dd\acf\fa\94\11\c4x\1a\7b\ecF\a4F\e7\b0\8e\f6K5\b1\e2P\cb\b7c\db\ee\02\85\0b\3cJ\94k\27\f5\7f\2e\e4\0c\f9w\dc\f6\cd\9b\86\3d\28\b1j1\afd\d9\5e\96\f0\87\d0W1\92c\7b\d2\bf\12\20\c1\e5\c5\fdP\f7\8cU\26\ed\02\03\01\00\01\a3\82\01r0\82\01n0\0e\06\03U\1d\0f\01\01\ff\04\04\03\02\06\c00\81\85\06\03U\1d\11\04\7e0\7c\81\13rpattath\40redhat\2ecom\a0\24\06\0a\2b\06\01\04\01\827\14\02\03\a0\16\0c\14kdcuser2\40EXAMPLE\2eCOM\a0\3f\06\06\2b\06\01\05\02\02\a0503\a0\0d\1b\0bEXAMPLE\2eCOM\a1\220\20\a0\03\02\01\01\a1\190\17\1b\08kdcuser2\1b\0bEXAMPLE\2eCOM0\1d\06\03U\1d\0e\04\16\04\14\cb\2dV\e1\f6\b4\d8W\24\02R\ff\c6\3fw\c0\ef\a5\fc\070\1f\06\03U\1d\23\04\180\16\80\14\a9\acI\d6\ae\23\db\60my\2c1\3c\aat6bj\13\010\09\06\03U\1d\13\04\020\000T\06\08\2b\06\01\05\05\07\01\01\04H0F0D\06\08\2b\06\01\05\05\070\01\868http\3a\2f\2fyttrium\2eidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\3a8080\2fca\2focsp03\06\03U\1d\25\04\2c0\2a\06\08\2b\06\01\05\05\07\03\01\06\08\2b\06\01\05\05\07\03\02\06\08\2b\06\01\05\05\07\03\04\06\0a\2b\06\01\04\01\827\14\02\020\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\00\03\82\01\01\00\89\89v\83\11\04\1cR\8e\7b\26\2d\0as\1a\9ab\40\80\18\c1\81\aa\1b\faKb\81\dc\da\8f\7e\f4\1f\91\cabK\3bx\3b\3a\09\27\dfn3\01c\e4\2f\f0\9f\a7g\7cd\a9\9e\e7UG\27\e80\81\7c\fc\d4wbf\16\82\cb\db\82\40\0b\5e\88\7e\84IBjJG\fcBp\08\9f\f8\b3\88\80Z\cd\86i\96\afWH\93\b9\b2\0a\16\d6\09\2eyS\d4YdQ\cdt\04\a9\c9\d3\e7\15\17\f2\e4\29\b1\5b\bbn\dcF\81\2b\18\88\bd\ae\a8\5fi\eeWL\94\efm\9e\a6\bc\17\fc\d9\8a\c1\d5\3a\d6\84\3cX\11\2fPq\f9\b1\b4\294tl\c4\db\7eD\d9\9dU\83s\abMU\3d\7e\a7\a7\16\1b\a4\d0\cb\1a\3e\ce\b4\ce3\0d\f6\9e\fe\c5\7di5\dd\2c\86z\bb\16\09\b3\3bi\e9\18\2c5\98\8a\13\05\c2\b2\d7\8c\28\f4\8b\12\ec\5dNH\5d\e7\05\5f\11\ccoCo\e1\9az\81e))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

3. User a smart card enrolled with a non-kerberos user (the user has no redhatPrincipalName objectclass)

The signing cert on the smartcard has been added to the ldap user entry.

pam_pkcs11.conf has the following

attribute_map = "redhatPrincipalName=upn", "userCertificate;binary=cert";

    [root@dhcp129-45 rpattath]# pklogin_finder debug
    DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
    DEBUG:pkcs11_lib.c:182: Initializing NSS ...
    DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
    DEBUG:pkcs11_lib.c:210: ...  NSS Complete
    DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
    DEBUG:pkcs11_lib.c:235: Looking up module in list
    DEBUG:pkcs11_lib.c:238: modList = 0x1a916b0 next = 0x1a9d1b0
     
    DEBUG:pkcs11_lib.c:239: dllName= <null>
     
    DEBUG:pkcs11_lib.c:238: modList = 0x1a9d1b0 next = 0x0
     
    DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
     
    DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
    PIN for token:
    DEBUG:pkcs11_lib.c:48: PIN = [redhat]
    DEBUG:pkcs11_lib.c:759: cert 0: found (pkiuser2:signing key for pkiuser2), "UID=pkiuser2,O=Token Key User"
    DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
    DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
    DEBUG:ldap_mapper.c:1172: test ssltls = default
    DEBUG:ldap_mapper.c:1174: LDAP mapper started.
    DEBUG:ldap_mapper.c:1175: debug         = 1
    DEBUG:ldap_mapper.c:1176: ignorecase    = 0
    DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
    DEBUG:ldap_mapper.c:1178: ldapport      = 1603
    DEBUG:ldap_mapper.c:1179: ldapURI       =
    DEBUG:ldap_mapper.c:1180: scope         = 2
    DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
    DEBUG:ldap_mapper.c:1182: passwd        = Secret123
    DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
    DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
    DEBUG:ldap_mapper.c:1185: uid_attribute = uid
    DEBUG:ldap_mapper.c:1187: attribute_map = krbprincipalname=upn
    DEBUG:ldap_mapper.c:1187: attribute_map = krbprincipalname=upn
    DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
    DEBUG:ldap_mapper.c:1190: searchtimeout = 20
    DEBUG:ldap_mapper.c:1191: ssl_on        = 0
    DEBUG:ldap_mapper.c:1193: tls_randfile  =
    DEBUG:ldap_mapper.c:1194: tls_cacertfile=
    DEBUG:ldap_mapper.c:1195: tls_cacertdir =
    DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
    DEBUG:ldap_mapper.c:1197: tls_ciphers   =
    DEBUG:ldap_mapper.c:1198: tls_cert      =
    DEBUG:ldap_mapper.c:1199: tls_key       =
    DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
    DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
    DEBUG:pklogin_finder.c:131: verifing the certificate #1
    DEBUG:cert_vfy.c:34: Verifying Cert: pkiuser2:signing key for pkiuser2 (UID=pkiuser2,O=Token Key User)
    DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
    DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
    DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
    DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
    DEBUG:ldap_mapper.c:145: do_init():
    DEBUG:ldap_mapper.c:415: Set connection timeout to 8
    DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
    DEBUG:ldap_mapper.c:356: do_bind rc=97
    DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'krbprincipalname=upn'
    DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'krbprincipalname=upn'
    DEBUG:cert_info.c:143: Looking for ALT_NAME
    DEBUG:cert_info.c:182: not other name...
    DEBUG:cert_info.c:167: got other name with tag 0x13e
    DEBUG:cert_info.c:175: Got upn: kdcuser2
    DEBUG:cert_info.c:167: got other name with tag 0
    DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'krbprincipalname'='upn'
    DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(krbprincipalname=kdcuser2))
    DEBUG:ldap_mapper.c:1054: ldap_get_certificate(): no matching entries
    DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'userCertificate;binary=cert'
    DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'userCertificate;binary=cert'
    DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'userCertificate;binary'='cert'
    DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(userCertificate;binary=0\82\03\f60\82\02\de\a0\03\02\01\02\02\01\3c0\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\000X1503\06\03U\04\0a\0c\2cidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\20Security\20Domain1\1f0\1d\06\03U\04\03\0c\16CA\20Signing\20Certificate0\1e\17\0d150909193104Z\17\0d200907193104Z031\170\15\06\03U\04\0a\0c\0eToken\20Key\20User1\180\16\06\0a\09\92\26\89\93\f2\2cd\01\01\0c\08pkiuser20\81\9f0\0d\06\09\2a\86H\86\f7\0d\01\01\01\05\00\03\81\8d\000\81\89\02\81\81\00\80\ea\98\28\be\23\b6h\7b\0f\ff9\b3\d5\9c\0d\92\ad\cd\ba\16\cfp\b56\09\ecU\1e\406H\91\c96O\f5\f0\aa\8a\f3\89\15\da\0d\dd\bae\86\f6\a8y\0c\f9\06kt\b3K\ab\bc\dd\f4\7c\8c\fb\3dy\8c\9b\d0\9d\a8\90C\1d\5bO\26\3b\d4\ef\09\db\17\12\e3\0d\e1WP\e1\8f\ae\ea\88\fa0\bfz\40\d3\92d\b6J\ef\11\b7\104\e5\5bmt\dcPK\13\96\06\84\26\c0E\fb\e3\2b\02\03\01\00\01\a3\82\01r0\82\01n0\0e\06\03U\1d\0f\01\01\ff\04\04\03\02\06\c00\81\85\06\03U\1d\11\04\7e0\7c\81\13rpattath\40redhat\2ecom\a0\24\06\0a\2b\06\01\04\01\827\14\02\03\a0\16\0c\14kdcuser2\40EXAMPLE\2eCOM\a0\3f\06\06\2b\06\01\05\02\02\a0503\a0\0d\1b\0bEXAMPLE\2eCOM\a1\220\20\a0\03\02\01\01\a1\190\17\1b\08kdcuser2\1b\0bEXAMPLE\2eCOM0\1d\06\03U\1d\0e\04\16\04\14\cc\88b\097\e8\0e\9b\e8\af7\c0N\a9\a5A\9d\5d\22\f70\1f\06\03U\1d\23\04\180\16\80\14\a9\acI\d6\ae\23\db\60my\2c1\3c\aat6bj\13\010\09\06\03U\1d\13\04\020\000T\06\08\2b\06\01\05\05\07\01\01\04H0F0D\06\08\2b\06\01\05\05\070\01\868http\3a\2f\2fyttrium\2eidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\3a8080\2fca\2focsp03\06\03U\1d\25\04\2c0\2a\06\08\2b\06\01\05\05\07\03\01\06\08\2b\06\01\05\05\07\03\02\06\08\2b\06\01\05\05\07\03\04\06\0a\2b\06\01\04\01\827\14\02\020\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\00\03\82\01\01\00\1bO\89\9d\5e\b0\b7A\ff\21\ec\11\d3\3a1\7d\d4\b7\0e\3b\a3\c9p\d9\a1\bf\df\ad\93z\2f\8b5\a7\ca\ed\9anS\d8\60X\25D\93\aeff\bba\b8\97\12\80ic\7c\f4\3c\e2\d0\91\c3R5\5d\91m\8d\fa\c5T\99Y6\a2\02I\92Yft1i\22\3aUJ\da\a1\24t\f7\fe\2br\eb\f8k\9581A\a6\167\80\b7\0cz\c2\a9\3c\5d\22\13\19\1b\a2t\8eG\89\00t\e4\b7\9c\8d\fb\eb\ff\b3\f2\0d\2a\db\29\f1\fe\b6\f3\11\ef\da\87D\db\ae\c5\e2\25\ed\d6\b0\40L\0e\f5\90\cc\2cHY\87\b3\87\e5\7f\a5\07\5e\a0W\3aeY\26\f9\8aZ\5dX\a5\2e\22\04Ib\98\a4\93JLA\83\0cW\9e\eb\ec\fc\23\5e\3f\8d\d6\01\ba\f0\15\bcq\12\17\abh\26\8a\81\ad\f6\20\2a\c7\92\1c\96\e2\a3\b3\21\b9mf\90\ad\d5\b4\d6\27\a5\3b\bdM\ca\2d\7c\3cm\b2\e4\ed\cc\5ba))
    DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
    DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
    DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
    DEBUG:ldap_mapper.c:1094: number of user certificates = 0
    DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
    DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
    DEBUG:ldap_mapper.c:1227: Found matching entry for user
    DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user pkiuser2
    pkiuser2
    DEBUG:mapper_mgr.c:214: unloading mapper module list
    DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
    DEBUG:mapper_mgr.c:145: unloading module ldap
    DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
    DEBUG:pklogin_finder.c:172: Process completed

Comment 7 Roshni 2015-09-09 21:37:08 UTC

Some more additional tests were performed using cn and subject mappings.

1. pam_pkcs11 had the following change

attribute_map = "cn=uid";

[root@dhcp129-45 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x15cc660 next = 0x15d8160

DEBUG:pkcs11_lib.c:239: dllName= <null> 

DEBUG:pkcs11_lib.c:238: modList = 0x15d8160 next = 0x0

DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so 

DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token: 
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,OU=People,DC=pki-tps1"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1603
DEBUG:ldap_mapper.c:1179: ldapURI       = 
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = cn=uid
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  = 
DEBUG:ldap_mapper.c:1194: tls_cacertfile= 
DEBUG:ldap_mapper.c:1195: tls_cacertdir = 
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   = 
DEBUG:ldap_mapper.c:1198: tls_cert      = 
DEBUG:ldap_mapper.c:1199: tls_key       = 
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,OU=People,DC=pki-tps1)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'cn=uid'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'cn=uid'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'cn'='uid'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(cn=kdcuser2))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

2. pam_pkcs11 had the following change

attribute_map = "entrydn=subject";

When the certificate subject matches the ldap entry dn

[root@dhcp129-45 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x19b4650 next = 0x19c0180

DEBUG:pkcs11_lib.c:239: dllName= <null> 

DEBUG:pkcs11_lib.c:238: modList = 0x19c0180 next = 0x0

DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so 

DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token: 
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,OU=People,DC=pki-tps1"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1603
DEBUG:ldap_mapper.c:1179: ldapURI       = 
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = entrydn=subject
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  = 
DEBUG:ldap_mapper.c:1194: tls_cacertfile= 
DEBUG:ldap_mapper.c:1195: tls_cacertdir = 
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   = 
DEBUG:ldap_mapper.c:1198: tls_cert      = 
DEBUG:ldap_mapper.c:1199: tls_key       = 
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,OU=People,DC=pki-tps1)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'entrydn=subject'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'entrydn=subject'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'entrydn'='subject'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(entrydn=UID=kdcuser2,OU=People,DC=pki-tps1))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed

Comment 8 Roshni 2015-09-10 16:58:02 UTC

Based on comment 6 and comment 7 marking this bug as verified. There a debugger output issue that has been noticed for which I am filing a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1262039

Comment 9 errata-xmlrpc 2015-11-19 13:01:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2415.html

Note You need to log in before you can comment on or make changes to this bug.