1403194 – Rebase mod_auth_gssapi to enable IdM Web UI External Authentication

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1403194 - Rebase mod_auth_gssapi to enable IdM Web UI External Authentication

Summary: Rebase mod_auth_gssapi to enable IdM Web UI External Authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_gssapi
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Simo Sorce
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1366572 1399979
TreeView+	depends on / blocked

Reported:	2016-12-09 12:01 UTC by Martin Kosek
Modified:	2017-08-01 21:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 21:01:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:2071	0	normal	SHIPPED_LIVE	mod_auth_gssapi bug fix update	2017-08-01 18:36:24 UTC

Description Martin Kosek 2016-12-09 12:01:20 UTC

Rebase mod_auth_gssapi to include minor fixes/improvements to allow webui isolation work (for external auth like x509 tracked in Bug 1366572).

Comment 2 Simo Sorce 2017-03-10 11:55:24 UTC

1.5.1 packages built

Comment 4 Scott Poore 2017-05-11 16:52:42 UTC

Verified.

Version ::
mod_auth_gssapi-1.5.1-2.el7.x86_64

Results ::

Tested with bug #1366572

Also, further tested basic access to WebUI for the following scenarios:

cert on card with certmapdata for one user
cert on card with certmapdata for two users both worked
tested with users without certmapdata are not able to login with cert
tested with certmapconfig-mod promptusername=True and False

Also tested admin user able to login with password and still perform basic WebUI tasks, added user, view data from different areas.


[root@auto-hv-02-guest08 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10
method return sender=:1.786 -> dest=:1.787 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131"
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132"
   ]

[root@auto-hv-02-guest08 testing]# ipa certmap-match demosc1_cert1.crt
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1, demosc2
----------------------------
Number of entries returned 1
----------------------------

Both demosc1 and demosc2 able to login with cert that the mapdata was created from.

rule in place for this testing:

[root@auto-hv-02-guest08 testing]# ipa certmaprule-show combined
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE



And a little more info showing tests from curl:


[root@dhcp129-184 ~]# export SSL_DIR=/tmp/nssdb

[root@dhcp129-184 ~]# mkdir $SSL_DIR

[root@dhcp129-184 ~]# echo "passw0rd" > $SSL_DIR/password

[root@dhcp129-184 ~]# certutil -d $SSL_DIR -N -f $SSL_DIR/password

[root@dhcp129-184 ~]# modutil -dbdir $SSL_DIR -add smartcard -libfile /usr/lib64/opensc-pkcs11.so <<EOF
>
> EOF

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "smartcard" added to database.



####################### demosc1 curl test ####################################


[root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc1
* About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0)
*   Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED...
* Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST
*   start date: Mar 31 21:17:28 2017 GMT
*   expire date: Apr 01 21:17:28 2019 GMT
*   common name: auto-hv-02-guest08.testrelm.test
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
> GET /ipa/session/login_x509?username=demosc1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: auto-hv-02-guest08.testrelm.test
> Accept: */*
>
* skipping SSL peer certificate verification
* NSS: using client certificate: demosc1 (OpenSC Card):Certificate
*   subject: CN=demosc1,O=TESTRELM.TEST
*   start date: May 05 18:56:31 2017 GMT
*   expire date: May 06 18:56:31 2019 GMT
*   common name: demosc1
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
< HTTP/1.1 200 Success
< Date: Thu, 11 May 2017 16:47:36 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< IPASESSION: MagBearerToken=B0nKAn%2b7F5Q1HuwDobvHCtG%2bVmu%2bDlvtmPdNFRWyXO4RW6eD%2fdLUlzFN0cx42QVv9zynrJPoTvmfb8i2H52ZG3hxRzZMn5O5iKcjz6h%2fNh3tvCTHL8f%2bXB2zWDH8nPAfMPJGl%2bE2xGiSJ7LfdmxKThVPkHY4H5YWhagBfSXjshRktS97i7A3TIAH%2bCeVU%2fUGXH9KMiDiNNmpTqGbqs77GQ%3d%3d&expiry=1494523056703569
< Set-Cookie: ipa_session=MagBearerToken=B0nKAn%2b7F5Q1HuwDobvHCtG%2bVmu%2bDlvtmPdNFRWyXO4RW6eD%2fdLUlzFN0cx42QVv9zynrJPoTvmfb8i2H52ZG3hxRzZMn5O5iKcjz6h%2fNh3tvCTHL8f%2bXB2zWDH8nPAfMPJGl%2bE2xGiSJ7LfdmxKThVPkHY4H5YWhagBfSXjshRktS97i7A3TIAH%2bCeVU%2fUGXH9KMiDiNNmpTqGbqs77GQ%3d%3d&expiry=1494523056706452;Max-Age=1800;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache
< Content-Length: 0
< Content-Type: text/plain; charset=UTF-8
<
* Connection #0 to host auto-hv-02-guest08.testrelm.test left intact




####################### demosc2 curl test ####################################


[root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc2
* About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0)
*   Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED...
* Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST
*   start date: Mar 31 21:17:28 2017 GMT
*   expire date: Apr 01 21:17:28 2019 GMT
*   common name: auto-hv-02-guest08.testrelm.test
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
> GET /ipa/session/login_x509?username=demosc2 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: auto-hv-02-guest08.testrelm.test
> Accept: */*
>
* skipping SSL peer certificate verification
* NSS: using client certificate: demosc1 (OpenSC Card):Certificate
*   subject: CN=demosc1,O=TESTRELM.TEST
*   start date: May 05 18:56:31 2017 GMT
*   expire date: May 06 18:56:31 2019 GMT
*   common name: demosc1
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
< HTTP/1.1 200 Success
< Date: Thu, 11 May 2017 16:47:42 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< IPASESSION: MagBearerToken=LDkLq%2bATGD4k5U%2fgK5ZPf2FwEcEJGLB0EJMMjFOxn%2b8sqKeFh84EPm4QP%2fHqYDuJMp%2bJ9IqlqAUTEY%2bc2TdBaWmIiI4EVE%2fAgpW4iAUPFpOLE1o0yCHevisF3DNly5wWqbixmeq7w500%2bNWco1jrVpcrXpi8YQ%2bs4lwznhv3OwJWQGU9%2bNRtJfmpVuVFu5feEnTuro9M8O7bjQsT3dA%2bMg%3d%3d&expiry=1494523062913055
< Set-Cookie: ipa_session=MagBearerToken=LDkLq%2bATGD4k5U%2fgK5ZPf2FwEcEJGLB0EJMMjFOxn%2b8sqKeFh84EPm4QP%2fHqYDuJMp%2bJ9IqlqAUTEY%2bc2TdBaWmIiI4EVE%2fAgpW4iAUPFpOLE1o0yCHevisF3DNly5wWqbixmeq7w500%2bNWco1jrVpcrXpi8YQ%2bs4lwznhv3OwJWQGU9%2bNRtJfmpVuVFu5feEnTuro9M8O7bjQsT3dA%2bMg%3d%3d&expiry=1494523062915844;Max-Age=1800;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache
< Content-Length: 0
< Content-Type: text/plain; charset=UTF-8
<
* Connection #0 to host auto-hv-02-guest08.testrelm.test left intact




####################### demosc3 curl test ####################################



[root@dhcp129-184 ~]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:redhat" https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc3
* About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0)
*   Trying IPA_SERVER_IPA_ADDRESS_SCRUBBED...
* Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IPA_ADDRESS_SCRUBBED) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST
*   start date: Mar 31 21:17:28 2017 GMT
*   expire date: Apr 01 21:17:28 2019 GMT
*   common name: auto-hv-02-guest08.testrelm.test
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
> GET /ipa/session/login_x509?username=demosc3 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: auto-hv-02-guest08.testrelm.test
> Accept: */*
>
* skipping SSL peer certificate verification
* NSS: using client certificate: demosc1 (OpenSC Card):Certificate
*   subject: CN=demosc1,O=TESTRELM.TEST
*   start date: May 05 18:56:31 2017 GMT
*   expire date: May 06 18:56:31 2019 GMT
*   common name: demosc1
*   issuer: CN=Certificate Authority,O=TESTRELM.TEST
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 11 May 2017 16:47:45 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< Set-Cookie: ipa_session=expiry=1494523066173148;Max-Age=1800;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache
< Set-Cookie: ipa_session=expiry=1494523066173148;Max-Age=1800;path=/ipa;httponly;secure;
< Content-Length: 527
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
* Closing connection 0

Comment 5 errata-xmlrpc 2017-08-01 21:01:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2071

Note You need to log in before you can comment on or make changes to this bug.