Hi Freeipa-users,
Is is possible to create a binddn account in cn=sysaccounts and attach certs to the account so it can be used in scripts to bind using external bind with certs?
I know how to create my sysaccount and I found https://www.freeipa.org/page/V4/User_Certificates which provides instructions on attaching certificates to user accounts but not sure how this references to attaching certs to sysaccounts.
Many Thanks, Tania
Tania Hagan via FreeIPA-users wrote:
Hi Freeipa-users,
Is is possible to create a binddn account in cn=sysaccounts and attach certs to the account so it can be used in scripts to bind using external bind with certs?
I know how to create my sysaccount and I found https://www.freeipa.org/page/V4/User_Certificates which provides instructions on attaching certificates to user accounts but not sure how this references to attaching certs to sysaccounts.
I'm not sure anyone has ever tried so you'll be in unknown waters.
What is it you want to bind to with this certificate and do what operations? What CA will issue the certificate?
rob
Hi Rob,
As a company we turn off anonymous bind for security reasons, but have a number of sysaccounts that are used in scripts to bind as that bind user and complete an ldapsearch (e.g get list of users, get monitoring metrics). We also have systems such as phabricator that require a sysaccount to connect to freeipa for user login.
At the moment the search and binds are completed using user and password, but we'd like to move away from having to store the password anywhere and instead use certificates ideally provided by the freeipa server.
Hope this makes more sense.
Thanks, Tania
Tania Hagan via FreeIPA-users wrote:
Hi Rob,
As a company we turn off anonymous bind for security reasons, but have a number of sysaccounts that are used in scripts to bind as that bind user and complete an ldapsearch (e.g get list of users, get monitoring metrics). We also have systems such as phabricator that require a sysaccount to connect to freeipa for user login.
At the moment the search and binds are completed using user and password, but we'd like to move away from having to store the password anywhere and instead use certificates ideally provided by the freeipa server.
Hope this makes more sense.
It does, thanks.
I think all the capabilities are there but you'd have to figure out how to put all the pieces together. This isn't something we're working on.
IPA can issue user certificates but you'd need to create a certificate profile for it. There is some relevant discussion at https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom... . Note that this creates a signing cert and not a user cert, so you'd have to tweak other things, but it goes over the basics. The same blog may have additional pointers but this is the main one I found.
We did some design work about user certificates but never implemented it all. Read this with that in mind as not everything was implemented, https://www.freeipa.org/page/V4/User_Certificates . I can see my own fingerprints on it, particularly with my common typos, but I honestly pushed all of this out of my brain long ago.
As mentioned earlier, you'd need to manually add a new objectclass to your sysaccount user and also set a uid for certificate matching.
And you'd be on the hook for managing renewal of the user certificate(s).
The final step is related to certificate mapping which maps a cert subject to an entry (not to be confused with SSSD certificate mapping). This is managed by /etc/dirsrv/slapd-EXAMPLE-TEST/certmap.conf. I believe that the out-of-the-box configuration should work fine if the sysaccount user has a uid that matches the uid in the cert subject.
rob
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Tania Hagan