Bug 1270029 - [RFE] Add a way to lookup users based on CAC identity certificates
[RFE] Add a way to lookup users based on CAC identity certificates
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.8
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
Namita Soman
Aneta Šteflová Petrová
: FutureFeature
Depends On: 1202724 1296693
Blocks: 1272422
  Show dependency treegraph
 
Reported: 2015-10-08 16:27 EDT by Jakub Hrozek
Modified: 2016-05-10 16:21 EDT (History)
18 users (show)

See Also:
Fixed In Version: sssd-1.13.2-1.el6
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1202724
Environment:
Last Closed: 2016-05-10 16:21:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Roshni 2016-01-18 09:29:42 EST
[root@dhcp123-129 ~]# rpm -qi sssd
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.13.3                            Vendor: Red Hat, Inc.
Release     : 3.el6                         Build Date: Tue 12 Jan 2016 06:40:12 AM EST
Install Date: Thu 14 Jan 2016 12:19:38 PM EST      Build Host: x86-028.build.eng.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.13.3-3.el6.src.rpm
Size        : 35147                            License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

[root@dhcp123-129 ~]# rpm -qi ipa-client
Name        : ipa-client                   Relocations: (not relocatable)
Version     : 3.0.0                             Vendor: Red Hat, Inc.
Release     : 50.el6                        Build Date: Thu 07 Jan 2016 03:55:55 AM EST
Install Date: Thu 14 Jan 2016 12:20:27 PM EST      Build Host: x86-032.build.eng.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-3.0.0-50.el6.src.rpm
Size        : 318993                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients

[root@dhcp123-129 ~]# rpm -qi sssd-dbus
Name        : sssd-dbus                    Relocations: (not relocatable)
Version     : 1.13.3                            Vendor: Red Hat, Inc.
Release     : 3.el6                         Build Date: Tue 12 Jan 2016 06:40:12 AM EST
Install Date: Thu 14 Jan 2016 12:48:23 PM EST      Build Host: x86-028.build.eng.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.13.3-3.el6.src.rpm
Size        : 195930                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : The D-Bus responder of the SSSD

Verification steps:

1. yum install sssd-dbus
2. Setup ipa server with realm name mil (for CAC cards) and realm testrelm.test for (non-CAC cards)
3. Make the required configuration changes for ipa client installation.
4. ipa-client-install --mkhomedir
5. Modify /etc/sssd/sssd.conf as follows:
[sssd]
services = nss, sudo, pam, ssh, ifp

[pam]
pam_cert_auth = True

service sssd restart

6. Import and trust the issuing CA of the CAC card to be tested under /etc/pki/nssdb
7. Add an ipa user and add the signing cert on the card to the ipa user using the following commands

ipa user-add <CAC card user name>

ipa user-add-cert <CAC card user name> --certificate=<signing cert on CAC card>

The following are the user lookup commands:

8. [root@dhcp129-123 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat /tmp/lastca_sign.pem)"

An output similar to the following should be obtained:

method return sender=:1.112 -> dest=:1.181 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/mil/1052300003"

9. [root@dhcp129-123 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/mil/1052300003 org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"name"
method return sender=:1.112 -> dest=:1.183 reply_serial=2
   variant       string "last.day.2001428082"

10. [root@dhcp129-123 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/mil/1052300003 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User"
method return sender=:1.112 -> dest=:1.184 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "last.day.2001428082"
      )
      dict entry(
         string "uidNumber"
         variant             uint32 1052300003
      )
      dict entry(
         string "gidNumber"
         variant             uint32 1052300003
      )
      dict entry(
         string "gecos"
         variant             string "last.day 2001428082"
      )
      dict entry(
         string "homeDirectory"
         variant             string "/home/last.day.2001428082"
      )
      dict entry(
         string "loginShell"
         variant             string "/bin/sh"
      )
      dict entry(
         string "groups"
         variant             array [
               object path "/org/freedesktop/sssd/infopipe/Groups/mil/1052300003"
            ]
      )
      dict entry(
         string "extraAttributes"
         variant             array [
            ]
      )
   ]

Tested the same using non-CAC cards (Gemalto 64k smart card, gemalto 64K usb card, SC650 SCP01 and SCP02, SC330J in the non-IPA CA environment; Athena smartcard in the IPA CA environment).
Comment 3 Roshni 2016-01-18 10:02:27 EST
A few additional point during verification:

1. The ipa server was installed on RHEL 6.8 and a replica was created on RHEL 7.2 (to use ipa user-add-cert cli)

2. For smartcards with certificate issued by IPA CA, the certs were added to the card using RHEL 7 machine because engine_pkcs11 is not available on RHEL 6.
opensc has to be installed on RHEL 6 client machine to detect the certs on the card using https://dl.fedoraproject.org/pub/epel/6/x86_64/opensc-0.12.2-2.el6.x86_64.rpm
Comment 5 errata-xmlrpc 2016-05-10 16:21:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html

Note You need to log in before you can comment on or make changes to this bug.