Bug 1163922
| Summary: | Please backport changes to make the LDAP mapper more flexible | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nalin Dahyabhai <nalin> |
| Component: | pam_pkcs11 | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | arubin, nalin, pbokoc, rpattath, rrelyea |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pam_pkcs11-0.6.2-21.el7 | Doc Type: | Enhancement |
| Doc Text: |
Previously, when using LDAP to map a user certificate to a user ID, the pam_pkcs11 module requested a list of all certificates and IDs from the LDAP server and filtered this list, instead of using LDAP filtering. This approach caused performance problems on both the client and the server, and limited the ways LDAP could be used to map certificates. With this update, the querying algorithm for pam_pkcs11 has been improved and obtaining entire lists of certificates and IDs is no longer necessary. Logins using this module are now faster and require less resources, and pam_pkcs11 users now have more flexibility in using LDAP to map a certificate to a user ID.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 13:01:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nalin Dahyabhai
2014-11-13 17:19:55 UTC
fixed in pam_pkcs11-0.6.2-21.el7 Bob, Could you provide the tests that needs to be done to verify this bug? Unfortunately I don't have any test cases. I just did the backport. Nalin, do you have any tests? Nothing automated, unfortunately. It's been a while, but I'd have used pklogin_finder and a card containing a certificate whose contents I could easily reissue with different contents, and combined it with an IPA server. I probably used "local-getcert request" with the -F flag to generate the certificate and a CA certificate, either pk12util or openssl's pkcs12 command to export the key and certificate into a PKCS#12 bundle, and OpenSC's pkcs15-init's --store-private-key option to dump the private key and certificate onto the card. The IPA server would contain a user account whose entry's DN, recorded full name, IPA user name, recorded email address, and Kerberos principal name I'd specified when creating the certificate, and the user entry would have been modified to add the 'pkiUser' object class so that the newly-generated certificate could be set as its userCertificate value. After that, it should have been pretty straightforward to cycle through the various matching options that we're adding to pam_pkcs11's ldap mapper. [root@dhcp129-45 rpattath]# rpm -qi pam_pkcs11 Name : pam_pkcs11 Version : 0.6.2 Release : 23.el7 Architecture: x86_64 Install Date: Wed 09 Sep 2015 02:00:29 PM EDT Group : System Environment/Base Size : 1104350 License : LGPLv2+ Signature : RSA/SHA256, Tue 01 Sep 2015 11:31:12 AM EDT, Key ID 938a80caf21541eb Source RPM : pam_pkcs11-0.6.2-23.el7.src.rpm Build Date : Mon 31 Aug 2015 08:45:08 PM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.opensc-project.org/pam_pkcs11 Summary : PKCS #11/NSS PAM login module Verification steps: 1. Make the following changes to /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = ldap; # Directory ( ldap style ) mapper mapper ldap { debug = true; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "yttrium.idmqe.lab.eng.bos.redhat.com"; # Port on ldap server to connect ldapport = 1603; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=Directory Manager"; # Password for above DN passwd = "Secret123"; # Searchbase for user entries base = "ou=People,dc=pki-tps1"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" uid_attribute = "uid"; attribute_map = "uid=uid&mail=email", "redhatPrincipalName=upn", "userCertificate;binary=cert"; } 2. Insert a smartcard enrolled with a kerberos user. dn: uid=kdcuser2,ou=People,dc=pki-tps1 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: redhatKerberosUser objectClass: posixAccount cn: kdcuser2 sn: KDCUser description: this is the description of kdcuser2 telephoneNumber: This the telephoneNumber of kdcuser2 businessCategory: This the businessCategory of kdcuser2 carLicense: This the carLicense of kdcuser2 departmentNumber: This the departmentNumber of kdcuser2 displayName: KDC User employeeNumber: This the employeeNumber of kdcuser2 employeeType: This the employeeType of kdcuser2 givenName: GivenName homePhone: This the homePhone of kdcuser2 homePostalAddress: This the homePostalAddress of kdcuser2 initials: This the initials of kdcuser2 labeledURI: This the labeledURL of kdcuser2 mail: rpattath mobile: This the mobile of kdcuser2 o: This the o of kdcuser2 pager: This the pager of kdcuser2 preferredLanguage: This the preferredLanguage of kdcuser2 roomNumber: This the roomNumber of kdcuser2 uid: kdcuser2 userSMIMECertificate: This the userSMIMECertificate of kdcuser2 redhatPrincipalName: kdcuser2 uidNumber: 1001 gidNumber: 1000 loginShell: /bin/sh homeDirectory: /home/kdcuser2 userPassword:: e1NTSEF9YVpVa1c5RkZ3UnB6ajFJeC9tVEtxcnNyVkRVWkNRc3Byd0I4ckE9PQ= = userCertificate;binary:: MIID9jCCAt6gAwIBAgIBOjANBgkqhkiG9w0BAQsFADBYMTUwMwYDV QQKDCxpZG1xZS5sYWIuZW5nLmJvcy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAw wWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNTA5MDkxODQwMTZaFw0yMDA5MDcxODQwMTZaMDM xFzAVBgNVBAoMDlRva2VuIEtleSBVc2VyMRgwFgYKCZImiZPyLGQBAQwIa2RjdXNlcjIwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAIxF7FWEeCGBph/9D7Z7gsFH3gQAgc4BPkRGl/FJgM+StxChy RUk+zfDNXnWLOAs1t2sZvqUEcR4GnvsRqRG57CO9ks1seJQy7dj2+4ChQs8SpRrJ/V/LuQM+Xfc9s 2bhj0osWoxr2TZXpbwh9BXMZJje9K/EiDB5cX9UPeMVSbtAgMBAAGjggFyMIIBbjAOBgNVHQ8BAf8 EBAMCBsAwgYUGA1UdEQR+MHyBE3JwYXR0YXRoQHJlZGhhdC5jb22gJAYKKwYBBAGCNxQCA6AWDBRr ZGN1c2VyMkBFWEFNUExFLkNPTaA/BgYrBgEFAgKgNTAzoA0bC0VYQU1QTEUuQ09NoSIwIKADAgEBo RkwFxsIa2RjdXNlcjIbC0VYQU1QTEUuQ09NMB0GA1UdDgQWBBTLLVbh9rTYVyQCUv/GP3fA76X8Bz AfBgNVHSMEGDAWgBSprEnWriPbYG15LDE8qnQ2YmoTATAJBgNVHRMEAjAAMFQGCCsGAQUFBwEBBEg wRjBEBggrBgEFBQcwAYY4aHR0cDovL3l0dHJpdW0uaWRtcWUubGFiLmVuZy5ib3MucmVkaGF0LmNv bTo4MDgwL2NhL29jc3AwMwYDVR0lBCwwKgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBAYKK wYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCAQEAiYl2gxEEHFKOeyYtCnMammJAgBjBgaob+ktigd zaj370H5HKYks7eDs6CSffbjMBY+Qv8J+nZ3xkqZ7nVUcn6DCBfPzUd2JmFoLL24JAC16IfoRJQmp KR/xCcAif+LOIgFrNhmmWr1dIk7myChbWCS55U9RZZFHNdASpydPnFRfy5CmxW7tu3EaBKxiIva6o X2nuV0yU722eprwX/NmKwdU61oQ8WBEvUHH5sbQpNHRsxNt+RNmdVYNzq01VPX6npxYbpNDLGj7Ot M4zDfae/sV9aTXdLIZ6uxYJsztp6RgsNZiKEwXCsteMKPSLEuxdTkhd5wVfEcxvQ2/hmnqBZQ== 3. Import and trust the issuing CA cert under /etc/pki/nssdb 4. Run pklogin_finder [root@dhcp129-45 rpattath]# pklogin_finder debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pklogin_finder.c:71: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0x1e386f0 next = 0x1e441f0 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0x1e441f0 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:79: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [redhat] DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:1172: test ssltls = default DEBUG:ldap_mapper.c:1174: LDAP mapper started. DEBUG:ldap_mapper.c:1175: debug = 1 DEBUG:ldap_mapper.c:1176: ignorecase = 0 DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com DEBUG:ldap_mapper.c:1178: ldapport = 1603 DEBUG:ldap_mapper.c:1179: ldapURI = DEBUG:ldap_mapper.c:1180: scope = 2 DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager DEBUG:ldap_mapper.c:1182: passwd = Secret123 DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1 DEBUG:ldap_mapper.c:1184: attribute = userCertificate DEBUG:ldap_mapper.c:1185: uid_attribute = uid DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:1190: searchtimeout = 20 DEBUG:ldap_mapper.c:1191: ssl_on = 0 DEBUG:ldap_mapper.c:1193: tls_randfile = DEBUG:ldap_mapper.c:1194: tls_cacertfile= DEBUG:ldap_mapper.c:1195: tls_cacertdir = DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1 DEBUG:ldap_mapper.c:1197: tls_ciphers = DEBUG:ldap_mapper.c:1198: tls_cert = DEBUG:ldap_mapper.c:1199: tls_key = DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list DEBUG:pklogin_finder.c:127: Found '1' certificate(s) DEBUG:pklogin_finder.c:131: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User) DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:145: do_init(): DEBUG:ldap_mapper.c:415: Set connection timeout to 8 DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123" DEBUG:ldap_mapper.c:356: do_bind rc=97 DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'uid=uid&mail=email' DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'uid=uid&mail=email' DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'uid'='uid' DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'mail'='email' DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(&(uid=kdcuser2)(mail=rpattath))) DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1 DEBUG:ldap_mapper.c:1091: attribute name = userCertificate DEBUG:ldap_mapper.c:1094: number of user certificates = 0 DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1 DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end DEBUG:ldap_mapper.c:1227: Found matching entry for user DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2 kdcuser2 DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pklogin_finder.c:169: releasing pkcs #11 module... DEBUG:pklogin_finder.c:172: Process completed Some additional tests: 1. Make the following changes to pam_pkcs11.conf attribute_map = "redhatPrincipalName=upn", "userCertificate;binary=cert"; [root@dhcp129-45 rpattath]# pklogin_finder debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pklogin_finder.c:71: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0x1d876a0 next = 0x1d931d0 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0x1d931d0 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:79: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [redhat] DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:1172: test ssltls = default DEBUG:ldap_mapper.c:1174: LDAP mapper started. DEBUG:ldap_mapper.c:1175: debug = 1 DEBUG:ldap_mapper.c:1176: ignorecase = 0 DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com DEBUG:ldap_mapper.c:1178: ldapport = 1603 DEBUG:ldap_mapper.c:1179: ldapURI = DEBUG:ldap_mapper.c:1180: scope = 2 DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager DEBUG:ldap_mapper.c:1182: passwd = Secret123 DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1 DEBUG:ldap_mapper.c:1184: attribute = userCertificate DEBUG:ldap_mapper.c:1185: uid_attribute = uid DEBUG:ldap_mapper.c:1187: attribute_map = redhatPrincipalName=upn DEBUG:ldap_mapper.c:1187: attribute_map = redhatPrincipalName=upn DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:1190: searchtimeout = 20 DEBUG:ldap_mapper.c:1191: ssl_on = 0 DEBUG:ldap_mapper.c:1193: tls_randfile = DEBUG:ldap_mapper.c:1194: tls_cacertfile= DEBUG:ldap_mapper.c:1195: tls_cacertdir = DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1 DEBUG:ldap_mapper.c:1197: tls_ciphers = DEBUG:ldap_mapper.c:1198: tls_cert = DEBUG:ldap_mapper.c:1199: tls_key = DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list DEBUG:pklogin_finder.c:127: Found '1' certificate(s) DEBUG:pklogin_finder.c:131: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User) DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:145: do_init(): DEBUG:ldap_mapper.c:415: Set connection timeout to 8 DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123" DEBUG:ldap_mapper.c:356: do_bind rc=97 DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'redhatPrincipalName=upn' DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'redhatPrincipalName=upn' DEBUG:cert_info.c:143: Looking for ALT_NAME DEBUG:cert_info.c:182: not other name... DEBUG:cert_info.c:167: got other name with tag 0x13e DEBUG:cert_info.c:175: Got upn: kdcuser2 DEBUG:cert_info.c:167: got other name with tag 0 DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'redhatPrincipalName'='upn' DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(redhatPrincipalName=kdcuser2)) DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1 DEBUG:ldap_mapper.c:1091: attribute name = userCertificate DEBUG:ldap_mapper.c:1094: number of user certificates = 0 DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1 DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end DEBUG:ldap_mapper.c:1227: Found matching entry for user DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2 kdcuser2 DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pklogin_finder.c:169: releasing pkcs #11 module... DEBUG:pklogin_finder.c:172: Process completed 2. Make the following changes to pam_pkcs11.conf attribute_map = "userCertificate;binary=cert"; The signing cert on the smartcard should be added to the ldap user entry. [root@dhcp129-45 rpattath]# pklogin_finder debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pklogin_finder.c:71: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0xb9f670 next = 0xbab170 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0xbab170 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:79: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [redhat] DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,O=Token Key User" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:1172: test ssltls = default DEBUG:ldap_mapper.c:1174: LDAP mapper started. DEBUG:ldap_mapper.c:1175: debug = 1 DEBUG:ldap_mapper.c:1176: ignorecase = 0 DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com DEBUG:ldap_mapper.c:1178: ldapport = 1603 DEBUG:ldap_mapper.c:1179: ldapURI = DEBUG:ldap_mapper.c:1180: scope = 2 DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager DEBUG:ldap_mapper.c:1182: passwd = Secret123 DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1 DEBUG:ldap_mapper.c:1184: attribute = userCertificate DEBUG:ldap_mapper.c:1185: uid_attribute = uid DEBUG:ldap_mapper.c:1187: attribute_map = userCertificate;binary=cert DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:1190: searchtimeout = 20 DEBUG:ldap_mapper.c:1191: ssl_on = 0 DEBUG:ldap_mapper.c:1193: tls_randfile = DEBUG:ldap_mapper.c:1194: tls_cacertfile= DEBUG:ldap_mapper.c:1195: tls_cacertdir = DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1 DEBUG:ldap_mapper.c:1197: tls_ciphers = DEBUG:ldap_mapper.c:1198: tls_cert = DEBUG:ldap_mapper.c:1199: tls_key = DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list DEBUG:pklogin_finder.c:127: Found '1' certificate(s) DEBUG:pklogin_finder.c:131: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,O=Token Key User) DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:145: do_init(): DEBUG:ldap_mapper.c:415: Set connection timeout to 8 DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123" DEBUG:ldap_mapper.c:356: do_bind rc=97 DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'userCertificate;binary=cert' DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'userCertificate;binary=cert' DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'userCertificate;binary'='cert' DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(userCertificate;binary=0\82\03\f60\82\02\de\a0\03\02\01\02\02\01\3a0\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\000X1503\06\03U\04\0a\0c\2cidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\20Security\20Domain1\1f0\1d\06\03U\04\03\0c\16CA\20Signing\20Certificate0\1e\17\0d150909184016Z\17\0d200907184016Z031\170\15\06\03U\04\0a\0c\0eToken\20Key\20User1\180\16\06\0a\09\92\26\89\93\f2\2cd\01\01\0c\08kdcuser20\81\9f0\0d\06\09\2a\86H\86\f7\0d\01\01\01\05\00\03\81\8d\000\81\89\02\81\81\00\8cE\ecU\84x\21\81\a6\1f\fd\0f\b6\7b\82\c1G\de\04\00\81\ce\01\3eDF\97\f1I\80\cf\92\b7\10\a1\c9\15\24\fb7\c35y\d6\2c\e0\2c\d6\dd\acf\fa\94\11\c4x\1a\7b\ecF\a4F\e7\b0\8e\f6K5\b1\e2P\cb\b7c\db\ee\02\85\0b\3cJ\94k\27\f5\7f\2e\e4\0c\f9w\dc\f6\cd\9b\86\3d\28\b1j1\afd\d9\5e\96\f0\87\d0W1\92c\7b\d2\bf\12\20\c1\e5\c5\fdP\f7\8cU\26\ed\02\03\01\00\01\a3\82\01r0\82\01n0\0e\06\03U\1d\0f\01\01\ff\04\04\03\02\06\c00\81\85\06\03U\1d\11\04\7e0\7c\81\13rpattath\40redhat\2ecom\a0\24\06\0a\2b\06\01\04\01\827\14\02\03\a0\16\0c\14kdcuser2\40EXAMPLE\2eCOM\a0\3f\06\06\2b\06\01\05\02\02\a0503\a0\0d\1b\0bEXAMPLE\2eCOM\a1\220\20\a0\03\02\01\01\a1\190\17\1b\08kdcuser2\1b\0bEXAMPLE\2eCOM0\1d\06\03U\1d\0e\04\16\04\14\cb\2dV\e1\f6\b4\d8W\24\02R\ff\c6\3fw\c0\ef\a5\fc\070\1f\06\03U\1d\23\04\180\16\80\14\a9\acI\d6\ae\23\db\60my\2c1\3c\aat6bj\13\010\09\06\03U\1d\13\04\020\000T\06\08\2b\06\01\05\05\07\01\01\04H0F0D\06\08\2b\06\01\05\05\070\01\868http\3a\2f\2fyttrium\2eidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\3a8080\2fca\2focsp03\06\03U\1d\25\04\2c0\2a\06\08\2b\06\01\05\05\07\03\01\06\08\2b\06\01\05\05\07\03\02\06\08\2b\06\01\05\05\07\03\04\06\0a\2b\06\01\04\01\827\14\02\020\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\00\03\82\01\01\00\89\89v\83\11\04\1cR\8e\7b\26\2d\0as\1a\9ab\40\80\18\c1\81\aa\1b\faKb\81\dc\da\8f\7e\f4\1f\91\cabK\3bx\3b\3a\09\27\dfn3\01c\e4\2f\f0\9f\a7g\7cd\a9\9e\e7UG\27\e80\81\7c\fc\d4wbf\16\82\cb\db\82\40\0b\5e\88\7e\84IBjJG\fcBp\08\9f\f8\b3\88\80Z\cd\86i\96\afWH\93\b9\b2\0a\16\d6\09\2eyS\d4YdQ\cdt\04\a9\c9\d3\e7\15\17\f2\e4\29\b1\5b\bbn\dcF\81\2b\18\88\bd\ae\a8\5fi\eeWL\94\efm\9e\a6\bc\17\fc\d9\8a\c1\d5\3a\d6\84\3cX\11\2fPq\f9\b1\b4\294tl\c4\db\7eD\d9\9dU\83s\abMU\3d\7e\a7\a7\16\1b\a4\d0\cb\1a\3e\ce\b4\ce3\0d\f6\9e\fe\c5\7di5\dd\2c\86z\bb\16\09\b3\3bi\e9\18\2c5\98\8a\13\05\c2\b2\d7\8c\28\f4\8b\12\ec\5dNH\5d\e7\05\5f\11\ccoCo\e1\9az\81e)) DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1 DEBUG:ldap_mapper.c:1091: attribute name = userCertificate DEBUG:ldap_mapper.c:1094: number of user certificates = 0 DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1 DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end DEBUG:ldap_mapper.c:1227: Found matching entry for user DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2 kdcuser2 DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pklogin_finder.c:169: releasing pkcs #11 module... DEBUG:pklogin_finder.c:172: Process completed 3. User a smart card enrolled with a non-kerberos user (the user has no redhatPrincipalName objectclass) The signing cert on the smartcard has been added to the ldap user entry. pam_pkcs11.conf has the following attribute_map = "redhatPrincipalName=upn", "userCertificate;binary=cert"; [root@dhcp129-45 rpattath]# pklogin_finder debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pklogin_finder.c:71: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0x1a916b0 next = 0x1a9d1b0 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0x1a9d1b0 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pklogin_finder.c:79: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [redhat] DEBUG:pkcs11_lib.c:759: cert 0: found (pkiuser2:signing key for pkiuser2), "UID=pkiuser2,O=Token Key User" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:1172: test ssltls = default DEBUG:ldap_mapper.c:1174: LDAP mapper started. DEBUG:ldap_mapper.c:1175: debug = 1 DEBUG:ldap_mapper.c:1176: ignorecase = 0 DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com DEBUG:ldap_mapper.c:1178: ldapport = 1603 DEBUG:ldap_mapper.c:1179: ldapURI = DEBUG:ldap_mapper.c:1180: scope = 2 DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager DEBUG:ldap_mapper.c:1182: passwd = Secret123 DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1 DEBUG:ldap_mapper.c:1184: attribute = userCertificate DEBUG:ldap_mapper.c:1185: uid_attribute = uid DEBUG:ldap_mapper.c:1187: attribute_map = krbprincipalname=upn DEBUG:ldap_mapper.c:1187: attribute_map = krbprincipalname=upn DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:1190: searchtimeout = 20 DEBUG:ldap_mapper.c:1191: ssl_on = 0 DEBUG:ldap_mapper.c:1193: tls_randfile = DEBUG:ldap_mapper.c:1194: tls_cacertfile= DEBUG:ldap_mapper.c:1195: tls_cacertdir = DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1 DEBUG:ldap_mapper.c:1197: tls_ciphers = DEBUG:ldap_mapper.c:1198: tls_cert = DEBUG:ldap_mapper.c:1199: tls_key = DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list DEBUG:pklogin_finder.c:127: Found '1' certificate(s) DEBUG:pklogin_finder.c:131: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: pkiuser2:signing key for pkiuser2 (UID=pkiuser2,O=Token Key User) DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603 DEBUG:ldap_mapper.c:145: do_init(): DEBUG:ldap_mapper.c:415: Set connection timeout to 8 DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123" DEBUG:ldap_mapper.c:356: do_bind rc=97 DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'krbprincipalname=upn' DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'krbprincipalname=upn' DEBUG:cert_info.c:143: Looking for ALT_NAME DEBUG:cert_info.c:182: not other name... DEBUG:cert_info.c:167: got other name with tag 0x13e DEBUG:cert_info.c:175: Got upn: kdcuser2 DEBUG:cert_info.c:167: got other name with tag 0 DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'krbprincipalname'='upn' DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(krbprincipalname=kdcuser2)) DEBUG:ldap_mapper.c:1054: ldap_get_certificate(): no matching entries DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'userCertificate;binary=cert' DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'userCertificate;binary=cert' DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'userCertificate;binary'='cert' DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(userCertificate;binary=0\82\03\f60\82\02\de\a0\03\02\01\02\02\01\3c0\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\000X1503\06\03U\04\0a\0c\2cidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\20Security\20Domain1\1f0\1d\06\03U\04\03\0c\16CA\20Signing\20Certificate0\1e\17\0d150909193104Z\17\0d200907193104Z031\170\15\06\03U\04\0a\0c\0eToken\20Key\20User1\180\16\06\0a\09\92\26\89\93\f2\2cd\01\01\0c\08pkiuser20\81\9f0\0d\06\09\2a\86H\86\f7\0d\01\01\01\05\00\03\81\8d\000\81\89\02\81\81\00\80\ea\98\28\be\23\b6h\7b\0f\ff9\b3\d5\9c\0d\92\ad\cd\ba\16\cfp\b56\09\ecU\1e\406H\91\c96O\f5\f0\aa\8a\f3\89\15\da\0d\dd\bae\86\f6\a8y\0c\f9\06kt\b3K\ab\bc\dd\f4\7c\8c\fb\3dy\8c\9b\d0\9d\a8\90C\1d\5bO\26\3b\d4\ef\09\db\17\12\e3\0d\e1WP\e1\8f\ae\ea\88\fa0\bfz\40\d3\92d\b6J\ef\11\b7\104\e5\5bmt\dcPK\13\96\06\84\26\c0E\fb\e3\2b\02\03\01\00\01\a3\82\01r0\82\01n0\0e\06\03U\1d\0f\01\01\ff\04\04\03\02\06\c00\81\85\06\03U\1d\11\04\7e0\7c\81\13rpattath\40redhat\2ecom\a0\24\06\0a\2b\06\01\04\01\827\14\02\03\a0\16\0c\14kdcuser2\40EXAMPLE\2eCOM\a0\3f\06\06\2b\06\01\05\02\02\a0503\a0\0d\1b\0bEXAMPLE\2eCOM\a1\220\20\a0\03\02\01\01\a1\190\17\1b\08kdcuser2\1b\0bEXAMPLE\2eCOM0\1d\06\03U\1d\0e\04\16\04\14\cc\88b\097\e8\0e\9b\e8\af7\c0N\a9\a5A\9d\5d\22\f70\1f\06\03U\1d\23\04\180\16\80\14\a9\acI\d6\ae\23\db\60my\2c1\3c\aat6bj\13\010\09\06\03U\1d\13\04\020\000T\06\08\2b\06\01\05\05\07\01\01\04H0F0D\06\08\2b\06\01\05\05\070\01\868http\3a\2f\2fyttrium\2eidmqe\2elab\2eeng\2ebos\2eredhat\2ecom\3a8080\2fca\2focsp03\06\03U\1d\25\04\2c0\2a\06\08\2b\06\01\05\05\07\03\01\06\08\2b\06\01\05\05\07\03\02\06\08\2b\06\01\05\05\07\03\04\06\0a\2b\06\01\04\01\827\14\02\020\0d\06\09\2a\86H\86\f7\0d\01\01\0b\05\00\03\82\01\01\00\1bO\89\9d\5e\b0\b7A\ff\21\ec\11\d3\3a1\7d\d4\b7\0e\3b\a3\c9p\d9\a1\bf\df\ad\93z\2f\8b5\a7\ca\ed\9anS\d8\60X\25D\93\aeff\bba\b8\97\12\80ic\7c\f4\3c\e2\d0\91\c3R5\5d\91m\8d\fa\c5T\99Y6\a2\02I\92Yft1i\22\3aUJ\da\a1\24t\f7\fe\2br\eb\f8k\9581A\a6\167\80\b7\0cz\c2\a9\3c\5d\22\13\19\1b\a2t\8eG\89\00t\e4\b7\9c\8d\fb\eb\ff\b3\f2\0d\2a\db\29\f1\fe\b6\f3\11\ef\da\87D\db\ae\c5\e2\25\ed\d6\b0\40L\0e\f5\90\cc\2cHY\87\b3\87\e5\7f\a5\07\5e\a0W\3aeY\26\f9\8aZ\5dX\a5\2e\22\04Ib\98\a4\93JLA\83\0cW\9e\eb\ec\fc\23\5e\3f\8d\d6\01\ba\f0\15\bcq\12\17\abh\26\8a\81\ad\f6\20\2a\c7\92\1c\96\e2\a3\b3\21\b9mf\90\ad\d5\b4\d6\27\a5\3b\bdM\ca\2d\7c\3cm\b2\e4\ed\cc\5ba)) DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1 DEBUG:ldap_mapper.c:1091: attribute name = userCertificate DEBUG:ldap_mapper.c:1094: number of user certificates = 0 DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1 DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end DEBUG:ldap_mapper.c:1227: Found matching entry for user DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user pkiuser2 pkiuser2 DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pklogin_finder.c:169: releasing pkcs #11 module... DEBUG:pklogin_finder.c:172: Process completed Some more additional tests were performed using cn and subject mappings.
1. pam_pkcs11 had the following change
attribute_map = "cn=uid";
[root@dhcp129-45 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x15cc660 next = 0x15d8160
DEBUG:pkcs11_lib.c:239: dllName= <null>
DEBUG:pkcs11_lib.c:238: modList = 0x15d8160 next = 0x0
DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,OU=People,DC=pki-tps1"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug = 1
DEBUG:ldap_mapper.c:1176: ignorecase = 0
DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport = 1603
DEBUG:ldap_mapper.c:1179: ldapURI =
DEBUG:ldap_mapper.c:1180: scope = 2
DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd = Secret123
DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = cn=uid
DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on = 0
DEBUG:ldap_mapper.c:1193: tls_randfile =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers =
DEBUG:ldap_mapper.c:1198: tls_cert =
DEBUG:ldap_mapper.c:1199: tls_key =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,OU=People,DC=pki-tps1)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'cn=uid'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'cn=uid'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'cn'='uid'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(cn=kdcuser2))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed
2. pam_pkcs11 had the following change
attribute_map = "entrydn=subject";
When the certificate subject matches the ldap entry dn
[root@dhcp129-45 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x19b4650 next = 0x19c0180
DEBUG:pkcs11_lib.c:239: dllName= <null>
DEBUG:pkcs11_lib.c:238: modList = 0x19c0180 next = 0x0
DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat]
DEBUG:pkcs11_lib.c:759: cert 0: found (kdcuser2:signing key for kdcuser2), "UID=kdcuser2,OU=People,DC=pki-tps1"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug = 1
DEBUG:ldap_mapper.c:1176: ignorecase = 0
DEBUG:ldap_mapper.c:1177: ldaphost = yttrium.idmqe.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport = 1603
DEBUG:ldap_mapper.c:1179: ldapURI =
DEBUG:ldap_mapper.c:1180: scope = 2
DEBUG:ldap_mapper.c:1181: binddn = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd = Secret123
DEBUG:ldap_mapper.c:1183: base = ou=People,dc=pki-tps1
DEBUG:ldap_mapper.c:1184: attribute = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = entrydn=subject
DEBUG:ldap_mapper.c:1189: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on = 0
DEBUG:ldap_mapper.c:1193: tls_randfile =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers =
DEBUG:ldap_mapper.c:1198: tls_cert =
DEBUG:ldap_mapper.c:1199: tls_key =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: kdcuser2:signing key for kdcuser2 (UID=kdcuser2,OU=People,DC=pki-tps1)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://yttrium.idmqe.lab.eng.bos.redhat.com:1603
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:356: do_bind rc=97
DEBUG:ldap_mapper.c:1023: ldap_get_certificate(): building filter_str from template 'entrydn=subject'
DEBUG:ldap_mapper.c:791: ldap_build_cert_filter(): building filter 'entrydn=subject'
DEBUG:ldap_mapper.c:740: ldap_build_cert_filter(): building subfilter 'entrydn'='subject'
DEBUG:ldap_mapper.c:1039: ldap_get_certificate(): searching with filter_str = (&(&(objectClass=posixAccount)(uid=*))(entrydn=UID=kdcuser2,OU=People,DC=pki-tps1))
DEBUG:ldap_mapper.c:1051: ldap_get_certificate(): found an entry
DEBUG:ldap_mapper.c:1071: ldap_get_certificate(): entries = 1
DEBUG:ldap_mapper.c:1091: attribute name = userCertificate
DEBUG:ldap_mapper.c:1094: number of user certificates = 0
DEBUG:ldap_mapper.c:1103: number of user names ('uid' values) = 1
DEBUG:ldap_mapper.c:1126: ldap_get_certificate(): end
DEBUG:ldap_mapper.c:1227: Found matching entry for user
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user kdcuser2
kdcuser2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed
Based on comment 6 and comment 7 marking this bug as verified. There a debugger output issue that has been noticed for which I am filing a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1262039 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2415.html |