Red Hat Bugzilla – Bug 1202724
[RFE] Add a way to lookup users based on CAC identity certificates
Last modified: 2015-11-19 06:36:41 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2596 FreeIPA ticket https://fedorahosted.org/freeipa/ticket/4238 asks for ability to map CAC identity certificates to users in IdM. When this is implemented, we will need a way to make a lookup using sssd based on the certificate or certificate attribute(s). One use case is: Apache is configured to do SSL client authentication based on mod_ssl (or mod_nss). When the authentication passes, SSL_* variables are set, including SSL_CLIENT_S_DN, SSL_CLIENT_S_DN_*, or SSL_CLIENT_CERT. If the information about the certificate or the whole PEM-encoded certificate is stored in IdM database, it should be possible to amend for example mod_lookup_identity to query sssd, and lookup the username based on SSL_CLIENT_CERT. We are looking for something like org.freedesktop.sssd.infopipe.!LookupUserUsingCert but the name of the method (or how exactly this should be exposed) is to be determined.
Related upstream tickets: 827a016a07d5f911cc4195be89896a376fd71f59 a99845006f96f9d1e7af871ec67c71cee8408a62 8d4dedea12e2b71f83a1b0e5f0fc5cdb706dcf98 caacea0dbfdc92613ae992681053b1d2665b80ca 7d8b7d82f0a91ed656320577fc781f24a66db9f8 bf01e8179cbb2be476805340636098deda7e1366 e22e04517b9f9d0c7759dc4768eedfd05908e9b6 070bb515321a7de091b884d9e0ab357b7b5ae578
Upstream ticket: https://fedorahosted.org/sssd/ticket/2742
Additional fix for #2742 is coming up, moving back to ASSIGNED.
* master: 619e21ed9c7a71e35e53f38867b53ed974f1d36a
How can I test this? Would the same test as for bug #1241089 cover this as well? Sounds like that bug specifically asks for an update to mod_lookup_identity to use the fix from this for org.freedesktop.sssd.infopipe.Users.FindByCertificate. If I can't use the verification for that bug to verify this, please list steps to test. Thanks, Scott
Please see 'How to Test' section of https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate for details.
Verified. Version :: sssd-1.13.0-26.el7.x86_64 Results :: [root@blade05 ~]# ipa user-add-cert bob20669 --certificate="$(cat bob20669.pem|grep -v -- '----' | tr -d '[\n\r]')" ------------------------------------- Added certificates to user "bob20669" ------------------------------------- User login: bob20669 Certificate: MIIECjCCAvKgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA5MjEyMTE4MDRaFw0xNzA5MjEyMTE4MDRaMCoxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDERMA8GA1UEAwwIYm9iMjA2NjkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsRZW2sEvczwkF5LJ5f/3QyQFzxMYz2shUCDvzYXvSRQdosSAIcpI65tTzxvhBKn8+zslL2+IULb4ZvhycrhIoAjOKammZLiYYIpyjgkatmNu9V9UKwWsKxAgg75338ZnVGq9RrjwOtVwHhZ7oGvk0O3+k09iTsmXP8cP2QQQEh1XaNxhqB+WO2XbLLV9lefFJlZl3DQdERPQ6/M8aBKwnMuoJwFE+zFKaAda70wjmUiCCeJCIm0gpyEr71PX4eTP/b2nkANJT4LWNd8eeSuY0PL4o6FerEjoLmSLEL0/MNDY5mj1qNcqKVRC/q9mEIOvRQtFZSKexHLVjzoLa/J3AgMBAAGjggEsMIIBKDAfBgNVHSMEGDAWgBQpLLhxktYerqlf4Sv2wTEeOoy+fzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuZXhhbXBsZS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRwOi8vaXBhLWNhLmV4YW1wbGUudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFDSTSIzglpbODRtGBUW6w520IimgMA0GCSqGSIb3DQEBCwUAA4IBAQBn21OvjmAFw0RDX6y8oo80FuTgCJ2hKkKt2QAhpFtirM2kNSJG7+E//Dwbs4Tyg5CSBOPXsdFi2NkRTA4/pXVmNx2Q2uu8ypcC9ZzuykVIy38RY6SETr5yPmkBM0NL5TeNVNdy9+06FmL/0QDVisfW5sNncxzfIO0LOQJp6gyMAXc2bGeeLlk2SR8aKPtyz5kNFKYUWaA4F2ZeAPsb0zU9JIu237FCgxU7L3c9fp0ZXPE1NPWZD3h7hCdZAvQ03SdTzMJlUJiARTbfeUr152i+3JJL7Yoop2/VoQb/FkA22oBFtfZW/GSZTN9p+e4HXH390oS+LphonPf1u/1EQsGN [root@blade05 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bob20669.pem)" method return sender=:1.7 -> dest=:1.17 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001" [root@blade05 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001 org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"name" method return sender=:1.7 -> dest=:1.18 reply_serial=2 variant string "bob20669" [root@blade05 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/example_2etest/1690400001 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User" method return sender=:1.7 -> dest=:1.29 reply_serial=2 array [ dict entry( string "name" variant string "bob20669" ) dict entry( string "uidNumber" variant uint32 1690400001 ) dict entry( string "gidNumber" variant uint32 1690400001 ) dict entry( string "gecos" variant string "Robert Chase" ) dict entry( string "homeDirectory" variant string "/home/bob20669" ) dict entry( string "loginShell" variant string "/bin/sh" ) dict entry( string "groups" variant array [ object path "/org/freedesktop/sssd/infopipe/Groups/example_2etest/1690400001" object path "/org/freedesktop/sssd/infopipe/Groups/example_2etest/1690400006" ] ) dict entry( string "extraAttributes" variant array [ ] ) ] [root@blade05 ~]# getent group 1690400006 webgroup1:*:1690400006:bob20669 [root@blade05 ~]# getent group 1690400001 bob20669:*:1690400001: [root@blade05 ~]# getent passwd 1690400001 bob20669:*:1690400001:1690400001:Robert Chase:/home/bob20669:/bin/sh
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html