Bug 1202724 - [RFE] Add a way to lookup users based on CAC identity certificates
Summary: [RFE] Add a way to lookup users based on CAC identity certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1127787 1169972 1181710 1241089 1270029
TreeView+ depends on / blocked
 
Reported: 2015-03-17 10:16 UTC by Jakub Hrozek
Modified: 2015-11-19 11:36 UTC (History)
12 users (show)

Fixed In Version: sssd-1.13.0-20.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1270029 (view as bug list)
Environment:
Last Closed: 2015-11-19 11:36:41 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-03-17 10:16:04 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2596

FreeIPA ticket https://fedorahosted.org/freeipa/ticket/4238 asks for ability to map CAC identity certificates to users in IdM. When this is implemented, we will need a way to make a lookup using sssd based on the certificate or certificate attribute(s).

One use case is: Apache is configured to do SSL client authentication based on mod_ssl (or mod_nss). When the authentication passes, SSL_* variables are set, including SSL_CLIENT_S_DN, SSL_CLIENT_S_DN_*, or SSL_CLIENT_CERT. If the information about the certificate or the whole PEM-encoded certificate is stored in IdM database, it should be possible to amend for example mod_lookup_identity to query sssd, and lookup the username based on SSL_CLIENT_CERT. We are looking for something like org.freedesktop.sssd.infopipe.!LookupUserUsingCert but the name of the method (or how exactly this should be exposed) is to be determined.

Comment 1 Jakub Hrozek 2015-06-26 07:55:08 UTC
Related upstream tickets:
    827a016a07d5f911cc4195be89896a376fd71f59
    a99845006f96f9d1e7af871ec67c71cee8408a62
    8d4dedea12e2b71f83a1b0e5f0fc5cdb706dcf98
    caacea0dbfdc92613ae992681053b1d2665b80ca
    7d8b7d82f0a91ed656320577fc781f24a66db9f8
    bf01e8179cbb2be476805340636098deda7e1366
    e22e04517b9f9d0c7759dc4768eedfd05908e9b6
    070bb515321a7de091b884d9e0ab357b7b5ae578

Comment 5 Jakub Hrozek 2015-08-13 15:33:19 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2742

Comment 6 Jakub Hrozek 2015-08-14 08:14:40 UTC
Additional fix for #2742 is coming up, moving back to ASSIGNED.

Comment 7 Jakub Hrozek 2015-08-14 21:38:48 UTC
* master: 619e21ed9c7a71e35e53f38867b53ed974f1d36a

Comment 9 Scott Poore 2015-09-21 19:45:50 UTC
How can I test this?  

Would the same test as for bug #1241089 cover this as well?  Sounds like that bug specifically asks for an update to mod_lookup_identity to use the fix from this for org.freedesktop.sssd.infopipe.Users.FindByCertificate.

If I can't use the verification for that bug to verify this, please list steps to test.

Thanks,
Scott

Comment 10 Sumit Bose 2015-09-21 20:59:48 UTC
Please see 'How to Test' section of https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate for details.

Comment 11 Scott Poore 2015-09-22 01:26:15 UTC
Verified.

Version ::

sssd-1.13.0-26.el7.x86_64

Results ::

[root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem|grep -v -- '----' | tr -d '[\n\r]')"
-------------------------------------
Added certificates to user "bob20669"
-------------------------------------
  User login: bob20669
  Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjEyMTE4MDRaFw0xNzA5MjEyMTE4MDRaMCoxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDERMA8GA1UEAwwIYm9iMjA2NjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsRZW2sEvczwkF5LJ5f/3QyQFzxMYz2shUCDvzYXvSRQdosSAIcpI65tTzxvhBKn8+zslL2+IULb4ZvhycrhIoAjOKammZLiYYIpyjgkatmNu9V9UKwWsKxAgg75338ZnVGq9RrjwOtVwHhZ7oGvk0O3+k09iTsmXP8cP2QQQEh1XaNxhqB+WO2XbLLV9lefFJlZl3DQdERPQ6/M8aBKwnMuoJwFE+zFKaAda70wjmUiCCeJCIm0gpyEr71PX4eTP/b2nkANJT4LWNd8eeSuY0PL4o6FerEjoLmSLEL0/MNDY5mj1qNcqKVRC/q9mEIOvRQtFZSKexHLVjzoLa/J3AgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBQpLLhxktYerqlf4Sv2wTEeOoy+fzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDSTSIzglpbODRtGBUW6w520IimgMA0GCSqGSIb3DQEBCwUAA4IBAQBn21OvjmAFw0RDX6y8oo80FuTgCJ2hKkKt2QAhpFtirM2kNSJG7+E//Dwbs4Tyg5CSBOPXsdFi2NkRTA4/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN

[root@blade05 ~]# dbus-send --system --print-reply  --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bob20669.pem)"
method return sender=:1.7 -> dest=:1.17 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001"


[root@blade05 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001 org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"name"
method return sender=:1.7 -> dest=:1.18 reply_serial=2
   variant       string "bob20669"


[root@blade05 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User"
method return sender=:1.7 -> dest=:1.29 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "bob20669"
      )
      dict entry(
         string "uidNumber"
         variant             uint32 1690400001
      )
      dict entry(
         string "gidNumber"
         variant             uint32 1690400001
      )
      dict entry(
         string "gecos"
         variant             string "Robert Chase"
      )
      dict entry(
         string "homeDirectory"
         variant             string "/home/bob20669"
      )
      dict entry(
         string "loginShell"
         variant             string "/bin/sh"
      )
      dict entry(
         string "groups"
         variant             array [
               object path "/org/freedesktop/sssd/infopipe/Groups/example_2etest/1690400001"
               object path "/org/freedesktop/sssd/infopipe/Groups/example_2etest/1690400006"
            ]
      )
      dict entry(
         string "extraAttributes"
         variant             array [
            ]
      )
   ]


[root@blade05 ~]# getent group  1690400006
webgroup1:*:1690400006:bob20669

[root@blade05 ~]# getent group  1690400001
bob20669:*:1690400001:

[root@blade05 ~]# getent passwd 1690400001
bob20669:*:1690400001:1690400001:Robert Chase:/home/bob20669:/bin/sh

Comment 12 errata-xmlrpc 2015-11-19 11:36:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.