Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]
Summary: [RFE] Backporting certificate matching rules for files, AD and LDAP provider ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira qetodo
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-02 07:40 UTC by amitkuma
Modified: 2021-02-02 12:03 UTC (History)
24 users (show)

Fixed In Version: sssd-1.16.5-10.el7_9.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-02 12:03:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd pull 5176 0 None closed 1.16: Add certificate matching rules for files, AD, and LDAP providers 2021-02-08 13:56:34 UTC

Description amitkuma 2019-08-02 07:40:58 UTC
Description of problem:

Customer's Requirements:
- Our environment requires us to use multi-factor authentication.  We currently use RSA SecurID tokens, but they have several downsides, and being able to use smartcards would solve multiple problems for us.

- Networked environment with an Active Directory domain (which we don't fully control) and ~100 RHEL7 clients.

- We would like to use smartcard authentication with AD with RHEL7 (and RHEL8) clients.  It needs to work the same way as it does with Windows, where some user accounts can be enforced to always use smartcards through the userAccountControl attribute, but other accounts can be enabled to use smartcards but may also use passwords.  The userPrincipalName attribute is set to something that matches something in the Subject Alt Name part of the certificate on their smartcards.  We will not be doing additional Linux-specific configuration such as uploading certificates themselves into AD as some documentation we've found has suggested.

-pkcs11_tool and p11-child are able to read the smartcard successfully, so we know it can read the cards. 

Version-Release number of selected component (if applicable):
sssd-1.16.2-13.el7_6.8.x86_64                               Wed May  1 10:07:32 2019
sssd-ad-1.16.2-13.el7_6.8.x86_64                            Wed May  1 10:07:31 2019
sssd-client-1.16.2-13.el7_6.8.x86_64                        Wed May  1 10:07:18 2019
sssd-common-1.16.2-13.el7_6.8.x86_64                        Wed May  1 10:07:31 2019
sssd-common-pac-1.16.2-13.el7_6.8.x86_64                    Wed May  1 10:07:31 2019
sssd-ipa-1.16.2-13.el7_6.8.x86_64                           Wed May  1 10:07:31 2019
sssd-krb5-1.16.2-13.el7_6.8.x86_64                          Wed May  1 10:07:31 2019
sssd-krb5-common-1.16.2-13.el7_6.8.x86_64                   Wed May  1 10:07:31 2019
sssd-ldap-1.16.2-13.el7_6.8.x86_64                          Wed May  1 10:07:32 2019
sssd-proxy-1.16.2-13.el7_6.8.x86_64                         Wed May  1 10:07:32 2019


How reproducible:
All times

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 9 Amy Farley 2019-10-10 15:18:30 UTC
The RHEL 7 product is too far in the lifecycle phase to get this added into here in time.

This should be done in RHEL 8.


There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this.

Since IdM is bundled with RHEL, you do not have any additional costs, other than building the VMs to do so.

Please see here:

Identity Management Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index

Window Integration Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust

Smart Cards
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#user-auth-smart-cards

Comment 10 amitkuma 2019-10-22 14:00:55 UTC
||There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this.
Hey Amy Why customer will install configure additional idm server then configure ipa client for AD use case!
His box is directly connected to AD and he wants code to be ported to RHEL-7.
Business justification already provided!

Comment 13 Amy Farley 2019-12-11 19:40:47 UTC
Moving this to RHEL 8, due to RHEL 7 lifecycle, new features cannot be added.

There is too much to do to get it into late-life product.

Comment 14 James Cassell 2019-12-11 19:53:03 UTC
Pretty sure this exists in RHEL 8, and this request is specifically a request to backport it to RHEL 7.

Comment 21 Karl Grindley 2020-05-27 00:56:16 UTC
Please consider reopening this issue.  I will work with my TAM to work on the internal side of this.  Also please reassign back to RHEL7.

There is a working pull-request with the required changes back ported to 1.16.  If accepted, then will directly address this ticket.
https://github.com/SSSD/sssd/pull/5176

Many of us in the Gov't sector, where smart cards are the accepted standard, will soon be required to have full MFA support implanted as part of the Cybersecurity Maturity Model Certification (CMMC) based on the NIST 800-171.  This includes the already requirement for gov't agencies, but all of industry as well.

RHEL7 still has ~4 years of of Maintenance support, and many gov't systems may not have the ability to update to RHEL8 for much of that time.

Comment 22 Martin Kosek 2020-05-27 05:23:25 UTC
Hello Karl, please work with your Red Hat support representative on this issue, to see if you can find some solution that works for you.
RHEL-7 is already in https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase and "The focus for minor releases during this phase lies on resolving urgent- or high-priority bugs."

Backporting bigger non-trivial RFE at this stage for all RHEL customers would be risky. This is why RHEL-8 was suggested.

Comment 23 Karl Grindley 2020-05-27 10:53:24 UTC
Hi Martin, 

We are already in contact with our Red Hat support and we've had an open pending case on this issue for quite a while.  One of the discussion points brought up by our agent is this article.  This was way prior to RHEL7's shift to Maintenance Support Phase 1.

https://www.redhat.com/en/blog/smart-card-support-red-hat-enterprise-linux

For whatever reason now in 7.8, that feature has still not been fully implemented.  Based on the article, mapping of arbitrary certificate attributes was supposed to be implemented/feature complete ~7.4 fully replacing the need for pam_pkcs11.  (note that today the sss-certmap man page is included with RHEL7.8's libcertmap RPM, and nowhere is it documented that this is an IPA only feature.  only digging though code did we find this). With this perspective, one could point out this is not a new feature, but is a bug fix as it does not work as documented.

We understand that such a port may require resources to do so if doing so from scratch.  To solve this, the upstream branch for sssd 1.16 has a set of patches already submitted for review.  Please read the pull request here.  https://github.com/SSSD/sssd/pull/5176

This should drastically reduce the resources needed to include full certmapping as discussed in the article into a future dot release of RHEL7.

I will lastly point out, moving to RHEL8 is a well understood goal.  However, with countless RHEL7 systems still not on the migration plan for many organizations due to application support, or other reasons, it's not reasonable to demand everyone shift to RHEL8 overnight.  Cybersecurity policies and enforcement is changing, and US Gov't wide efforts like CMMC are putting pressure on Red Hat gov't and industry customers to find a solution for all established systems including RHEL7.

Lastly, please retag this issue to RHEL7.  Back in December this issue was changed to RHEL8 and it is not a RHEL8 problem.

Comment 24 David Ward 2020-05-27 20:20:28 UTC
In case it is beneficial for anyone following this issue — here is a Copr repository that contains the latest SSSD package in RHEL 7.8, and simply adding the patches that are in the upstream pull request (as-is).

https://copr.fedorainfracloud.org/coprs/dpward/sssd/

Comment 25 Karl Grindley 2020-06-05 17:08:25 UTC
Please reopen this RFE until we get clear guidance from mgmt about the future inclusion in RHEL7.x with Mr. Ward's patch set, if accepted into the 1.16 branch.

Comment 28 Karl Grindley 2020-06-15 17:47:12 UTC
for everyones SA - the PR for the upstream sssd/1.16 branch has accepted the patch set to resolve this issue.

https://github.com/SSSD/sssd/pull/5176

Comment 30 Alexey Tikhonov 2020-07-02 13:09:20 UTC
This might be included in one of the following RHEL7.9 batch updates.

Comment 35 Alexey Tikhonov 2020-07-02 15:24:16 UTC
https://github.com/SSSD/sssd/pull/5176:

* `sssd-1-16`
  * 6b3b4b0bf945814e8886b900dcda18de25f38bb4 - certmap: mention special regex characters in man page
  * 451410e72514bd68e4b56b1a42c97ade6783e74b - test: add certificate without KU to certmap tests
  * e7966dfa40b9a7fcde79a07f146ae5283a7bc8e5 - certmap: allow missing KU in OpenSSL version
  * 6e9e6673916b61197df8a809f56c73d8bdbb868c - CONFIG: validator rules & test
  * eec9d72a242b2b05369f0eb89c4ebcda26d59802 - intg: add Smartcard authentication tests
  * cc2840fbb494ac686e9a3ae0016827a44d14769f - test_ca: set a password/PIN to nss databases
  * 0a989c62b4a3b73f23d9b6956ac81afaed9901f7 - test_ca: test library only for readable
  * 5a47b213b11cbf74dad47594d1826985f6b68f22 - PAM: use better PAM error code for failed Smartcard authentication
  * b6907d7cd5ab7568971ddb48f3932f106e86fe06 - doc: add certificate mapping section to man page
  * d75b196312c4cec767c196c663ff969b6aebcd6b - PAM: add certificate matching rules from all domains
  * 167ab7206913c17617a8e5ada7567d91f8ed6e11 - responder: make sure SSS_DP_CERT is passed to files provider
  * 69def7a3e81313a30ceae937f9cde5d62e999c3d - files: add support for Smartcard authentication
  * e96ba56ea8037d58e1335f7dacd3b19919bc4135 - confdb: add special handling for rules for the files provider
  * d304f5a9e60f7f6eb915a10067ee2e5e5f14c369 - sysdb: sysdb_certmap_add() handle domains more flexible
  * 53befb320c2b60a420a2588425fd5004ceec791a - AD/LDAP: read certificate mapping rules from config file
  * 670a1ca6b7b22bb3a1079111528ee7e4aafd97e5 - confdb: add confdb_certmap_to_sysdb()
  * 14c15cc6db16726419fbf6df76b5c83aec49192a - sysdb: add attr_map attribute to sysdb_ldb_msg_attr_to_certmap_info()
  * f867c2a293651043072afe1dd7a8a78a05e5fe4d - sysdb_ldb_msg_attr_to_certmap_info: set SSS_CERTMAP_MIN_PRIO
  * 8ef2cc11008ef86f4dfcbc267c797bf8ee265455 - sysdb: extract sysdb_ldb_msg_attr_to_certmap_info() call

Comment 42 Scott Poore 2020-12-22 17:37:50 UTC
Verified.

Version ::

sssd-1.16.5-10.el7_9.7.x86_64

Results ::

existing IPA Smart Card Auth regression tests were run against this update with all tests passing.

Also tested basic functionality of the feature for files, ldap, and ad providers.
Very basic 389-ds-base ldap server installed on test host to provide ldap service.
Pre-existing Windows 2019 AD server used for AD provider tests.
Softhsm used to simular smart card.


[root@rhel7-9 test_ca]# cat /etc/sssd/sssd.conf

[sssd]
domains = adcs.test, files_test, ldap_test
config_file_version = 2
services = nss, pam

[domain/files_test]
debug_level = 9
id_provider = files

[domain/ldap_test]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://localhost:389
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com

[domain/adcs.test]
ad_domain = adcs.test
krb5_realm = ADCS.TEST
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

[pam]
debug_level = 9
pam_cert_auth = True
p11_child_timeout = 60


[root@rhel7-9 test_ca]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig

[root@rhel7-9 test_ca]# vim /etc/pam.d/system-auth 

[root@rhel7-9 test_ca]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.orig
10c10
< #auth        sufficient    pam_unix.so nullok try_first_pass
---
> auth        sufficient    pam_unix.so nullok try_first_pass

[root@rhel7-9 test_ca]# touch /etc/sssd/conf.d/certmap.conf

[root@rhel7-9 test_ca]# chmod 600 /etc/sssd/conf.d/certmap.conf

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=localuser1.*
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=localuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      localuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      localuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      localuser1
  subject:    DN: O=Example, OU=Example Test, CN=localuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      localuser1
  subject:    DN: O=Example, OU=Example Test, CN=localuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/files_5ftest/1000
localuser1

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for My token 1
localuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=userdoesnotexist.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Password: 
su: Authentication failure

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Password: 
su: Authentication failure

[root@rhel7-9 test_ca]# # side effect of commenting out pam_unix from system-auth

[root@rhel7-9 test_ca]# # may require more complex pam setup to fall through properly

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/files_test/localuser1]
debug_level = 9
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/files_5ftest/1000
localuser1

[root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for My token 1
localuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^





[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# # LDAP provider tests

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=dsuser1.*
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=dsuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <SUBJECT>.*CN=userdoesnotexistinds.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # PASS (This test should fail because certmap rule doesn't match)

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/ldap_test/dsuser1]
debug_level = 9
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^





[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# # AD Provider tests

[root@rhel7-9 test_ca]# 
...


[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=aduser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      aduser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      aduser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      aduser1
  subject:    DN: O=Example, OU=Example Test, CN=aduser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      aduser1
  subject:    DN: O=Example, OU=Example Test, CN=aduser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/aduser1]
> matchrule = <SUBJECT>.*CN=aduser1.*
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1@adcs.test

[root@rhel7-9 test_ca]# su - aduser1@adcs.test -c 'su - aduser1@adcs.test -c whoami'
PIN for My token 1
aduser1@adcs.test

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <SUBJECT>.*CN=userdoesnotexistinad.*
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1@adcs.test

[root@rhel7-9 test_ca]# su - aduser1@adcs.test -c 'su - aduser1@adcs.test -c whoami'
PIN for My token 1
aduser1@adcs.test

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject_principal.short_name})

> EOF

[root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject_principal.short_name})


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1@adcs.test

[root@rhel7-9 test_ca]# su - aduser1@adcs.test -c 'su - aduser1@adcs.test -c whoami'
PIN for My token 1
aduser1@adcs.test

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject.short_name})

EOF


[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1@adcs.test

[root@rhel7-9 test_ca]# grep "Please check for typos" /var/log/sssd/sssd_pam.log
(2020-12-22 11:14:50): [pam] [p11_refresh_certmap_ctx] (0x0020): sss_certmap_add_rule failed for rule [aduser1] with error [22][Invalid argument], skipping. Please check for typos and if rule syntax is supported.

[root@rhel7-9 test_ca]# date
Tue Dec 22 11:15:05 CST 2020

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
[certmap/adcs.test/aduser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
maprule = (samAccountName={subject.short_name})

[certmap/adcs.test/aduser1_dne]
> matchrule = <SUBJECT>.*CN=userdoesnotexist.*
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Did not match user with cert

[root@rhel7-9 test_ca]# # with only the one rule that had typo, default will find cert

[root@rhel7-9 test_ca]# # with extra rule that doesn't match, no user matched as expected

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/aduser1]
> matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
> maprule = (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601161
aduser2@adcs.test

[root@rhel7-9 test_ca]# # NOTE:  aduser2 is who matched this time because we're using altSecurityIdentities.  This was previously configured in AD with ldapmodify command

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# su - aduser2@adcs.test -c 'su - aduser2@adcs.test -c whoami'
PIN for My token 1
aduser2@adcs.test

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF
> [certmap/adcs.test/localuser1]
> matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example
> EOF

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103
aduser1@adcs.test

[root@rhel7-9 test_ca]# CERTFILE=dsuser1.crt

[root@rhel7-9 test_ca]# USERCERT=$(cat ${CERTFILE}|sed '/CERT/d'|tr -d '\r\n')

[root@rhel7-9 test_ca]# AD_ISSUER='O=Example,OU=Example Test,CN=Example Test CA'

[root@rhel7-9 test_ca]# AD_SUBJECT='O=Example,OU=Example Test,CN=aduser1'


[root@rhel7-9 test_ca]# ldapmodify -x -D "$AD_ADMIN" -w Secret123 -h $AD_SERVER <<EOF
> dn: CN=ad user1,CN=Users,DC=adcs,DC=test
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary::$USERCERT
> EOF
modifying entry "CN=ad user1,CN=Users,DC=adcs,DC=test"


[root@rhel7-9 test_ca]# # previous was mis cut-and paste...was for delete, not add

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
aduser1@adcs.test
dsuser1


[root@rhel7-9 test_ca]# # See both ad and ds user found now

...

[root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens

[root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized.

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pushd $TEST_CA
/opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# NAME=dsuser1

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \
>     --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created private key:
Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap
Result:Private Key Object; RSA 
  label:      dsuser1
  ID:         00
  Usage:      decrypt, sign, unwrap

[root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \
>         --label ${NAME} -p redhat --set-id 0 -d 0
Using slot with index 0 (0x0)
Created certificate:
Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00
Result:Certificate Object; type = X.509 cert
  label:      dsuser1
  subject:    DN: O=Example, OU=Example Test, CN=dsuser1
  ID:         00

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# popd
/opt/test_ca /opt/test_ca /etc/sssd

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# 

[root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf 
[certmap/adcs.test/localuser1]
matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example

[root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt
Matched the following user(s):
/org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071
aduser1@adcs.test
dsuser1

[root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami'
PIN for My token 1
dsuser1

[root@rhel7-9 test_ca]# su - aduser1@adcs.test -c 'su - aduser1@adcs.test -c whoami'
PIN for My token 1
aduser1@adcs.test

[root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Comment 47 errata-xmlrpc 2021-02-02 12:03:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0341


Note You need to log in before you can comment on or make changes to this bug.