Bug 1267021 - pklogin_finder fails when using ldap mapper communicating to tls enabled ldap instance
pklogin_finder fails when using ldap mapper communicating to tls enabled ldap...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam_pkcs11 (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Bob Relyea
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-28 16:39 EDT by Roshni
Modified: 2016-01-12 14:41 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-12 14:41:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Roshni 2015-09-28 16:39:29 EDT
Description of problem:
pklogin_finder fails when using ldap mapper communicating to tls enabled ldap instance

Version-Release number of selected component (if applicable):
pam_pkcs11-0.6.2-24.el7

How reproducible:
always

Steps to Reproduce:
1. Configure a tls enabled ldap instance having the user to be enrolled to the smartcard
2. Configure pam_pkcs11.conf as follows

[root@dhcp129-45 ~]# cat /etc/pam_pkcs11/pam_pkcs11.conf
#
# Configuration file for pam_pkcs11 module
#
# Version 0.4
# Author: Juan Antonio Martinez <jonsito@teleline.es>
#
pam_pkcs11  {
    # Allow empty passwords
    nullok = true;

    # Enable debugging support.
    debug = false;

    # If the smart card is inserted, only use it
    card_only = true;

    # Do not prompt the user for the passwords but take them from the
    # PAM_ items instead.
    use_first_pass = false;

    # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
    # is unset.
    try_first_pass = false;

    # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
    # previously set (intended for stacking password modules only).
    use_authtok = false;

    # Filename of the PKCS #11 module. The default value is "default"
    use_pkcs11_module = coolkey;

    screen_savers = "gnome-screensaver", xscreensaver, kscreensaver;

    pkcs11_module coolkey {
        module = libcoolkeypk11.so;
        description = "Cool Key";
        # Slot-number to use. One for the first, two for the second and so
        # on. The default value is zero which means to use the first slot
        # with an available token.
        slot_num = 0;

        # Path to the directory where the CA certificates are stored. The
        # directory must contain an openssl hash-link to each certificate.
        # The default value is /etc/pam_pkcs11/cacerts.
        ca_dir = "/etc/pam_pkcs11/cacerts";
        nss_dir = /etc/pki/nssdb;

        # Path to the directory where the CRLs are stored. The directory
        # must contain an openssl hash-link to each CRL. The default value
        # is /etc/pam_pkcs11/crls.
        crl_dir = "/etc/pam_pkcs11/crls";

        # Sets the Certificate verification policy.
        # "none"        Performs no verification
        # "ca"          Does CA check
        # "crl_online"  Downloads the CRL form the location given by the
        #               CRL distribution point extension of the certificate
        # "crl_offline" Uses the locally stored CRLs
        # "crl_auto"    Is a combination of online and offline; it first
        #               tries to download the CRL from a possibly given CRL
        #               distribution point and if this fails, uses the local
        #               CRLs
        # "ocsp_on"     Turn on OCSP.
        # "signature"   Does also a signature check to ensure that private
        #               and public key matches
        # You can use a combination of ca,crl, and signature flags, or just
        # use "none".
        cert_policy = ca, signature;
    }

    pkcs11_module opensc {
        module = "opensc-pkcs11.so";
        description = "OpenSC PKCS#11 module";
        # Slot-number to use. One for the first, two for the second and so
        # on. The default value is zero which means to use the first slot
        # with an available token.
        slot_num = 0;

        # Path to the directory where the CA certificates are stored. The
        # directory must contain an openssl hash-link to each certificate.
        # The default value is /etc/pam_pkcs11/cacerts.
        ca_dir = "/etc/pam_pkcs11/cacerts";

        # Path to the directory where the CRLs are stored. The directory
        # must contain an openssl hash-link to each CRL. The default value
        # is /etc/pam_pkcs11/crls.
        crl_dir = "/etc/pam_pkcs11/crls";

        # Sets the Certificate Policy, (see above)
        cert_policy = ca, signature;
    }

    # Default pkcs11 module
    pkcs11_module default {
        module = "/usr/$LIB/pam_pkcs11/pkcs11_module.so";
        description = "Default pkcs#11 module";
        slot_num = 0;
        ca_dir = "/etc/pam_pkcs11/cacerts";
        crl_dir = "/etc/pam_pkcs11/crls";
        cert_policy = ca, signature;
    }

    # Which mappers ( Cert to login ) to use?
    # you can use several mappers:
    #
    # subject - Cert Subject to login file based mapper
    # pwent   - CN to getpwent() login or gecos fields mapper
    # ldap    - LDAP mapper
    # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
    # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
    # mail    - Compare email fields from certificate
    # ms      - Use Microsoft Universal Principal Name extension
    # krb     - Compare againts Kerberos Principal Name
    # cn      - Compare Common Name (CN)
    # uid     - Compare Unique Identifier
    # digest  - Certificate digest to login (mapfile based) mapper
    # generic - User defined certificate contents mapped
    # null    - blind access/deny mapper
    #
    # You can select a comma-separated mapper list.
    # If used null mapper should be the last in the list
    # Also you should select at least one mapper, otherwise
    # certificate will not match
    use_mappers = ldap;

    # When no absolute path or module info is provided, use this
    # value as module search path
    # TODO:
    # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
    mapper_search_path = "/usr/$LIB/pam_pkcs11";

    #
    # Generic certificate contents mapper
    mapper generic {
        debug = true;
        module = "/usr/$LIB/pam_pkcs11/generic_mapper.so";
        # ignore letter case on match/compare
        ignorecase = false;
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
        cert_item = cn;
        # Define mapfile if needed, else select "none"
        mapfile = "file:///etc/pam_pkcs11/generic_mapping";
        # Decide if use getpwent() to map login
        use_getpwent = false;
    }

    # Certificate Subject to login based mapper
    # provided file stores one or more "Subject -> login" lines
    mapper subject {
        debug = false;
        # module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
        module = internal;
        ignorecase = false;
        mapfile = "file:///etc/pam_pkcs11/subject_mapping";
    }

    # Search public keys from $HOME/.ssh/authorized_keys to match users
    mapper openssh {
        debug = false;
        module = "/usr/$LIB/pam_pkcs11/openssh_mapper.so";
    }

    # Search certificates from $HOME/.eid/authorized_certificates to match users
    mapper opensc {
        debug = false;
        module = "/usr/$LIB/pam_pkcs11/opensc_mapper.so";
    }

    # Certificate Common Name ( CN ) to getpwent() mapper
    mapper pwent {
        debug = false;
        ignorecase = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
    }

    # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
    mapper null {
        debug = false;
        # module = /usr/$LIB/pam_pkcs11/null_mapper.so;
        module = internal;
        # select behavior: always match, or always fail
        default_match = false;
        # on match, select returned user
        default_user = nobody;
    }

    # Directory ( ldap style ) mapper
    mapper ldap {
        debug = true;
        module = "/usr/$LIB/pam_pkcs11/ldap_mapper.so";
        # where base directory resides
        basedir = "/etc/pam_pkcs11/mapdir";
        # hostname of ldap server
        ldaphost = ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com;
        # Port on ldap server to connect
        ldapport = <ldaps-port>;
        # Scope of search: 0 = x, 1 = y, 2 = z
        scope = 2;
        # DN to bind with. Must have read-access for user entries under "base"
        binddn = "cn=Directory Manager";
        # Password for above DN
        passwd = Secret123;
        # Searchbase for user entries
        base = "ou=People,dc=pki-tps";
        # Attribute of user entry which contains the certificate
        attribute = userCertificate;
        # Searchfilter for user entry. Must only let pass user entry for the login user.
        uid_attribute = "uid";
        attribute_map = "uid=uid&mail=email", "redhatPrincipalName=upn", "userCertificate;binary=cert";
        filter = "(&(objectClass=posixAccount)(uid=%s))";
    }

    # Assume common name (CN) to be the login
    mapper cn {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
        ignorecase = true;
        mapfile = "file:///etc/pam_pkcs11/cn_map";
    }

    # mail -  Compare email field from certificate
    mapper mail {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
        # Declare mapfile or
        # leave empty "" or "none" to use no map
        mapfile = "file:///etc/pam_pkcs11/mail_mapping";
        # Some certs store email in uppercase. take care on this
        ignorecase = true;
        # Also check that host matches mx domain
        # when using mapfile this feature is ignored
        ignoredomain = false;
    }

    # ms - Use Microsoft Universal Principal Name extension
    # UPN is in format login@ADS_Domain. No map is needed, just
    # check domain name.
    mapper ms {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
        ignorecase = false;
        ignoredomain = false;
        domain = domain.com;
    }

    # krb  - Compare againts Kerberos Principal Name
    mapper krb {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
        ignorecase = false;
        mapfile = none;
    }

    # uid  - Maps Subject Unique Identifier field (if exist) to login
    mapper uid {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
        ignorecase = false;
        mapfile = none;
    }

    # digest - elaborate certificate digest and map it into a file
    mapper digest {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
        # algorithm used to evaluate certificate digest
        # Select one of:
        # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
        algorithm = sha1;
        mapfile = "file:///etc/pam_pkcs11/digest_mapping";
        # mapfile = "none";
    }

} 

3. /etc/openldap/ldap.conf is configured as follows

[root@dhcp129-45 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never

TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/ca_cert.pem

# Turning this off breaks GSSAPI used with krb5 when rdns = false
#SASL_NOCANON    on
URI ldaps://ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com:<ldaps-port>
BASE dc=pki-tps

The CA cert has been trusted in the location specified and also under /etc/pki/nssdb 

Actual results:
[root@dhcp129-45 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x1baa6f0 next = 0x1bb6220

DEBUG:pkcs11_lib.c:239: dllName= <null>

DEBUG:pkcs11_lib.c:238: modList = 0x1bb6220 next = 0x0

DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so

DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [redhat123]
DEBUG:pkcs11_lib.c:759: cert 0: found (pkiuser123:signing key for pkiuser123), "UID=pkiuser123,O=Token Key User"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1172: test ssltls = default
DEBUG:ldap_mapper.c:1174: LDAP mapper started.
DEBUG:ldap_mapper.c:1175: debug         = 1
DEBUG:ldap_mapper.c:1176: ignorecase    = 0
DEBUG:ldap_mapper.c:1177: ldaphost      = ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
DEBUG:ldap_mapper.c:1178: ldapport      = 1607
DEBUG:ldap_mapper.c:1179: ldapURI       =
DEBUG:ldap_mapper.c:1180: scope         = 2
DEBUG:ldap_mapper.c:1181: binddn        = cn=Directory Manager
DEBUG:ldap_mapper.c:1182: passwd        = Secret123
DEBUG:ldap_mapper.c:1183: base          = ou=People,dc=pki-tps
DEBUG:ldap_mapper.c:1184: attribute     = userCertificate
DEBUG:ldap_mapper.c:1185: uid_attribute = uid
DEBUG:ldap_mapper.c:1187: attribute_map = uid=uid&mail=email
DEBUG:ldap_mapper.c:1187: attribute_map = redhatPrincipalName=upn
DEBUG:ldap_mapper.c:1187: attribute_map = userCertificate;binary=cert
DEBUG:ldap_mapper.c:1189: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1190: searchtimeout = 20
DEBUG:ldap_mapper.c:1191: ssl_on        = 0
DEBUG:ldap_mapper.c:1193: tls_randfile  =
DEBUG:ldap_mapper.c:1194: tls_cacertfile=
DEBUG:ldap_mapper.c:1195: tls_cacertdir =
DEBUG:ldap_mapper.c:1196: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1197: tls_ciphers   =
DEBUG:ldap_mapper.c:1198: tls_cert      =
DEBUG:ldap_mapper.c:1199: tls_key       =
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: pkiuser123:signing key for pkiuser123 (UID=pkiuser123,O=Token Key User)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:ldap_mapper.c:931: ldap_get_certificate(): begin login unknown
DEBUG:ldap_mapper.c:582: added URI ldap://ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com:1607
DEBUG:ldap_mapper.c:991: ldap_get_certificate(): try do_open for ldap://ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com:1607
DEBUG:ldap_mapper.c:145: do_init():
DEBUG:ldap_mapper.c:415: Set connection timeout to 8
DEBUG:ldap_mapper.c:323: do_bind(): bind DN="cn=Directory Manager" pass="Secret123"
DEBUG:ldap_mapper.c:364: do_bind rc=0
DEBUG:ldap_mapper.c:369: do_bind return -1
DEBUG:ldap_mapper.c:543: do_open(): failed to bind to LDAP server ldap://ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com:1607: Can't contact LDAP server
DEBUG:ldap_mapper.c:1005: ldap_get_certificate(): do_open failed
DEBUG:ldap_mapper.c:1221: ldap_get_certificate() failed
DEBUG:pklogin_finder.c:148: find_user() failed:
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed


Expected results:
pklogin_finder should be successful

Additional info:
Comment 4 Roshni 2016-01-12 14:41:13 EST
Based on /usr/share/doc/pam_pkcs11/pam_pkcs11.conf.example when pam_pkcs11.conf was configured with ssl=tls and non-secure port was used (similar changes were made to the port in ldap.conf), pklogin returned results as expected.

Note You need to log in before you can comment on or make changes to this bug.