Hi Rob,

The CSR is generated within the web UI by following this section "Web UI: Requesting new certificates" ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates )

I am looking to perform an authenticated ldapsearch using certificate-based authentication so I don't have to pass username and password onto the command line when searching against cn=groups,cn=accounts. Looks like only authenticated ldapsearch will yield memberOf info (usernames that belong to the group), but an anonymous ldapsearch will only yield group container info without memberOf UIDs.

This document ( https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_configuring-certificate-based-authentication_securing-rhds ) says we need to have .ldaprc which include user's private key, therefore my original question.

LDAPTLS_CACERT=/home/user_name/CA.crt
LDAPTLS_KEY=/home/user_name/user.key
LDAPTLS_CERT=/home/user_name/user.der

Will my certificate-based ldapsearch work without user.key defined?

so far I haven't been able to perform the ldapsearch because I am getting:

ldap_start_tls: Can't contact LDAP server (-1) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).

Any pointers will be greatly appreciated!


--Tony


On Tue, Oct 17, 2023 at 4:58 AM Rob Crittenden <rcritten@redhat.com> wrote:
HUANG, TONY via FreeIPA-users wrote:
> Hi,
>
> I am trying to achieve user authentication against IdM using user's
> certificate. User certificate is requested to the built-in CA within IdM
> and signed by it.
>
> I am able to download the user's public cert via the web UI, but how can
> I download the private key so I can define it in user's .ldaprc file?

IPA never has access to a user's private key. A key is generated by a
user (e.g. openssl genrsa) and a CSR (Certificate Signing Request) using
that (openssl req). So the user should already possess the private key.

This is assuming the user used openssl to generate the key. With NSS the
private key would in whatever database was used to create the CSR.

rob