1736845 – [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]

Summary: [RFE] Backporting certificate matching rules for files, AD and LDAP provider ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:	sync-to-jira qetodo
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-02 07:40 UTC by amitkuma
Modified:	2024-03-25 15:21 UTC (History)
CC List:	24 users (show)
Fixed In Version:	sssd-1.16.5-10.el7_9.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-02 12:03:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd pull 5176	0	None	closed	1.16: Add certificate matching rules for files, AD, and LDAP providers	2021-02-08 13:56:34 UTC

Description amitkuma 2019-08-02 07:40:58 UTC

Description of problem:

Customer's Requirements:
- Our environment requires us to use multi-factor authentication. We currently use RSA SecurID tokens, but they have several downsides, and being able to use smartcards would solve multiple problems for us.

- Networked environment with an Active Directory domain (which we don't fully control) and ~100 RHEL7 clients.

- We would like to use smartcard authentication with AD with RHEL7 (and RHEL8) clients. It needs to work the same way as it does with Windows, where some user accounts can be enforced to always use smartcards through the userAccountControl attribute, but other accounts can be enabled to use smartcards but may also use passwords. The userPrincipalName attribute is set to something that matches something in the Subject Alt Name part of the certificate on their smartcards. We will not be doing additional Linux-specific configuration such as uploading certificates themselves into AD as some documentation we've found has suggested.

-pkcs11_tool and p11-child are able to read the smartcard successfully, so we know it can read the cards.

Version-Release number of selected component (if applicable):
sssd-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:32 2019
sssd-ad-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-client-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:18 2019
sssd-common-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-common-pac-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-ipa-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-krb5-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-krb5-common-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:31 2019
sssd-ldap-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:32 2019
sssd-proxy-1.16.2-13.el7_6.8.x86_64 Wed May 1 10:07:32 2019

How reproducible:
All times

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

Comment 9 Amy Farley 2019-10-10 15:18:30 UTC

The RHEL 7 product is too far in the lifecycle phase to get this added into here in time.

This should be done in RHEL 8.


There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this.

Since IdM is bundled with RHEL, you do not have any additional costs, other than building the VMs to do so.

Please see here:

Identity Management Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index

Window Integration Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust

Smart Cards
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#user-auth-smart-cards

Comment 10 amitkuma 2019-10-22 14:00:55 UTC

||There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this.
Hey Amy Why customer will install configure additional idm server then configure ipa client for AD use case!
His box is directly connected to AD and he wants code to be ported to RHEL-7.
Business justification already provided!

Comment 13 Amy Farley 2019-12-11 19:40:47 UTC

Moving this to RHEL 8, due to RHEL 7 lifecycle, new features cannot be added.

There is too much to do to get it into late-life product.

Comment 14 James Cassell 2019-12-11 19:53:03 UTC

Pretty sure this exists in RHEL 8, and this request is specifically a request to backport it to RHEL 7.

Comment 21 Karl Grindley 2020-05-27 00:56:16 UTC

Please consider reopening this issue.  I will work with my TAM to work on the internal side of this.  Also please reassign back to RHEL7.

There is a working pull-request with the required changes back ported to 1.16.  If accepted, then will directly address this ticket.
https://github.com/SSSD/sssd/pull/5176

Many of us in the Gov't sector, where smart cards are the accepted standard, will soon be required to have full MFA support implanted as part of the Cybersecurity Maturity Model Certification (CMMC) based on the NIST 800-171.  This includes the already requirement for gov't agencies, but all of industry as well.

RHEL7 still has ~4 years of of Maintenance support, and many gov't systems may not have the ability to update to RHEL8 for much of that time.

Comment 22 Martin Kosek 2020-05-27 05:23:25 UTC

Hello Karl, please work with your Red Hat support representative on this issue, to see if you can find some solution that works for you.
RHEL-7 is already in https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase and "The focus for minor releases during this phase lies on resolving urgent- or high-priority bugs."

Backporting bigger non-trivial RFE at this stage for all RHEL customers would be risky. This is why RHEL-8 was suggested.

Comment 23 Karl Grindley 2020-05-27 10:53:24 UTC

Hi Martin,

We are already in contact with our Red Hat support and we've had an open pending case on this issue for quite a while. One of the discussion points brought up by our agent is this article. This was way prior to RHEL7's shift to Maintenance Support Phase 1.

https://www.redhat.com/en/blog/smart-card-support-red-hat-enterprise-linux

For whatever reason now in 7.8, that feature has still not been fully implemented. Based on the article, mapping of arbitrary certificate attributes was supposed to be implemented/feature complete ~7.4 fully replacing the need for pam_pkcs11. (note that today the sss-certmap man page is included with RHEL7.8's libcertmap RPM, and nowhere is it documented that this is an IPA only feature. only digging though code did we find this). With this perspective, one could point out this is not a new feature, but is a bug fix as it does not work as documented.

We understand that such a port may require resources to do so if doing so from scratch. To solve this, the upstream branch for sssd 1.16 has a set of patches already submitted for review. Please read the pull request here. https://github.com/SSSD/sssd/pull/5176

This should drastically reduce the resources needed to include full certmapping as discussed in the article into a future dot release of RHEL7.

I will lastly point out, moving to RHEL8 is a well understood goal. However, with countless RHEL7 systems still not on the migration plan for many organizations due to application support, or other reasons, it's not reasonable to demand everyone shift to RHEL8 overnight. Cybersecurity policies and enforcement is changing, and US Gov't wide efforts like CMMC are putting pressure on Red Hat gov't and industry customers to find a solution for all established systems including RHEL7.

Lastly, please retag this issue to RHEL7. Back in December this issue was changed to RHEL8 and it is not a RHEL8 problem.

Comment 24 David Ward 2020-05-27 20:20:28 UTC

In case it is beneficial for anyone following this issue — here is a Copr repository that contains the latest SSSD package in RHEL 7.8, and simply adding the patches that are in the upstream pull request (as-is).

https://copr.fedorainfracloud.org/coprs/dpward/sssd/

Comment 25 Karl Grindley 2020-06-05 17:08:25 UTC

Please reopen this RFE until we get clear guidance from mgmt about the future inclusion in RHEL7.x with Mr. Ward's patch set, if accepted into the 1.16 branch.

Comment 28 Karl Grindley 2020-06-15 17:47:12 UTC

for everyones SA - the PR for the upstream sssd/1.16 branch has accepted the patch set to resolve this issue.

https://github.com/SSSD/sssd/pull/5176

Comment 30 Alexey Tikhonov 2020-07-02 13:09:20 UTC

This might be included in one of the following RHEL7.9 batch updates.

Comment 35 Alexey Tikhonov 2020-07-02 15:24:16 UTC

https://github.com/SSSD/sssd/pull/5176:

* `sssd-1-16`
  * 6b3b4b0bf945814e8886b900dcda18de25f38bb4 - certmap: mention special regex characters in man page
  * 451410e72514bd68e4b56b1a42c97ade6783e74b - test: add certificate without KU to certmap tests
  * e7966dfa40b9a7fcde79a07f146ae5283a7bc8e5 - certmap: allow missing KU in OpenSSL version
  * 6e9e6673916b61197df8a809f56c73d8bdbb868c - CONFIG: validator rules & test
  * eec9d72a242b2b05369f0eb89c4ebcda26d59802 - intg: add Smartcard authentication tests
  * cc2840fbb494ac686e9a3ae0016827a44d14769f - test_ca: set a password/PIN to nss databases
  * 0a989c62b4a3b73f23d9b6956ac81afaed9901f7 - test_ca: test library only for readable
  * 5a47b213b11cbf74dad47594d1826985f6b68f22 - PAM: use better PAM error code for failed Smartcard authentication
  * b6907d7cd5ab7568971ddb48f3932f106e86fe06 - doc: add certificate mapping section to man page
  * d75b196312c4cec767c196c663ff969b6aebcd6b - PAM: add certificate matching rules from all domains
  * 167ab7206913c17617a8e5ada7567d91f8ed6e11 - responder: make sure SSS_DP_CERT is passed to files provider
  * 69def7a3e81313a30ceae937f9cde5d62e999c3d - files: add support for Smartcard authentication
  * e96ba56ea8037d58e1335f7dacd3b19919bc4135 - confdb: add special handling for rules for the files provider
  * d304f5a9e60f7f6eb915a10067ee2e5e5f14c369 - sysdb: sysdb_certmap_add() handle domains more flexible
  * 53befb320c2b60a420a2588425fd5004ceec791a - AD/LDAP: read certificate mapping rules from config file
  * 670a1ca6b7b22bb3a1079111528ee7e4aafd97e5 - confdb: add confdb_certmap_to_sysdb()
  * 14c15cc6db16726419fbf6df76b5c83aec49192a - sysdb: add attr_map attribute to sysdb_ldb_msg_attr_to_certmap_info()
  * f867c2a293651043072afe1dd7a8a78a05e5fe4d - sysdb_ldb_msg_attr_to_certmap_info: set SSS_CERTMAP_MIN_PRIO
  * 8ef2cc11008ef86f4dfcbc267c797bf8ee265455 - sysdb: extract sysdb_ldb_msg_attr_to_certmap_info() call

Comment 42 Scott Poore 2020-12-22 17:37:50 UTC

Verified.

Version ::

sssd-1.16.5-10.el7_9.7.x86_64

Results ::

existing IPA Smart Card Auth regression tests were run against this update with all tests passing.

Also tested basic functionality of the feature for files, ldap, and ad providers.
Very basic 389-ds-base ldap server installed on test host to provide ldap service.
Pre-existing Windows 2019 AD server used for AD provider tests.
Softhsm used to simular smart card.


[root@rhel7-9 test_ca]# cat /etc/sssd/sssd.conf

[sssd]
domains = adcs.test, files_test, ldap_test
config_file_version = 2
services = nss, pam

[domain/files_test]
debug_level = 9
id_provider = files

[domain/ldap_test]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://localhost:389
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com

[domain/adcs.test]
ad_domain = adcs.test
krb5_realm = ADCS.TEST
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

[pam]
debug_level = 9
pam_cert_auth = True
p11_child_timeout = 60


[root@rhel7-9 test_ca]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig

[root@rhel7-9 test_ca]# vim /etc/pam.d/system-auth 

[root@rhel7-9 test_ca]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.orig
10c10
< #auth        sufficient    pam_unix.so nullok try_first_pass
---
> auth        sufficient    pam_unix.so nullok try_first_pass

[root@rhel7-9 test_ca]# touch /etc/sssd/conf.d/certmap.conf

[root@rhel7-9 test_ca]# chmod 600 /etc/sssd/conf.d/certmap.conf

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=localuser1.*
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=localuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      localuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      localuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      localuser1
  subject:    DN: O=Example, OU=Example Test, CN=localuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      localuser1
  subject:    DN: O=Example, OU=Example Test, CN=localuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/files_5ftest/1000
localuser1

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for My token 1
localuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=userdoesnotexist.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Password: 
su: Authentication failure

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Password: 
su: Authentication failure

[root@rhel7-9 test_ca]# # side effect of commenting out pam_unix from system-auth

[root@rhel7-9 test_ca]# # may require more complex pam setup to fall through properly

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/files_5ftest/1000
localuser1

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for My token 1
localuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^





[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# # LDAP provider tests

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=dsuser1.*
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=dsuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=userdoesnotexistinds.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # PASS (This test should fail because certmap rule doesn't match)

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^





[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# # AD Provider tests

[root@rhel7-9 test_ca]# 
...


[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=aduser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      aduser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      aduser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      aduser1
  subject:    DN: O=Example, OU=Example Test, CN=aduser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      aduser1
  subject:    DN: O=Example, OU=Example Test, CN=aduser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/aduser1]
> matchrule = <SUBJECT>.*CN=aduser1.*
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1

[root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami'
PIN for My token 1
aduser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <SUBJECT>.*CN=userdoesnotexistinad.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1

[root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami'
PIN for My token 1
aduser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject_principal.short_name})

> EOF

[root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject_principal.short_name})


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1

[root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami'
PIN for My token 1
aduser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject.short_name})

EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1

[root@rhel7-9 test_ca]# grep "Please check for typos" /var/log/sssd/sssd_pam.log
(2020-12-22 11:14:50): [pam] [p11_refresh_certmap_ctx] (0x0020): sss_certmap_add_rule failed for rule [aduser1] with error [22][Invalid argument], skipping. Please check for typos and if rule syntax is supported.

[root@rhel7-9 test_ca]# date
Tue Dec 22 11:15:05 CST 2020

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject.short_name})

[certmap/adcs.test/aduser1_dne]
> matchrule = <SUBJECT>.*CN=userdoesnotexist.*
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # with only the one rule that had typo, default will find cert

[root@rhel7-9 test_ca]# # with extra rule that doesn't match, no user matched as expected

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/aduser1]
> matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
> maprule = (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601161
aduser2

[root@rhel7-9 test_ca]# # NOTE:  aduser2 is who matched this time because we're using altSecurityIdentities.  This was previously configured in AD with ldapmodify command

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# su - aduser2 -c 'su - aduser2 -c whoami'
PIN for My token 1
aduser2

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/localuser1]
> matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1

[root@rhel7-9 test_ca]# CERTFILE=dsuser1.crt

[root@rhel7-9 test_ca]# USERCERT=$(cat ${CERTFILE}|sed '/CERT/d'|tr -d '\r\n')

[root@rhel7-9 test_ca]# AD_ISSUER='O=Example,OU=Example Test,CN=Example Test CA'

[root@rhel7-9 test_ca]# AD_SUBJECT='O=Example,OU=Example Test,CN=aduser1'


[root@rhel7-9 test_ca]# ldapmodify -x -D "$AD_ADMIN" -w Secret123 -h $AD_SERVER <<EOF
> dn: CN=ad user1,CN=Users,DC=adcs,DC=test
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary::$USERCERT
> EOF
modifying entry "CN=ad user1,CN=Users,DC=adcs,DC=test"


[root@rhel7-9 test_ca]# # previous was mis cut-and paste...was for delete, not add

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
aduser1
dsuser1


[root@rhel7-9 test_ca]# # See both ad and ds user found now

...

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=dsuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf 
[certmap/adcs.test/localuser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
aduser1
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami'
PIN for My token 1
aduser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Comment 47 errata-xmlrpc 2021-02-02 12:03:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0341

Note You need to log in before you can comment on or make changes to this bug.

afarley
atikhono
david.ward
ddas
fedoraproject
g63it
grajaiya
jhrozek
jreznik
lslebodn
mescanfe
mzidek
pbrezina
raymond.rocker
sbose
sgoveas
shokumar
spoore
sssd-maint
tbrunell
thalman
tmihinto
tscherf
vmishra