Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything works great for users who happen to be "full" employees, but contractors' certificates never match.
"Full" employees have certificates issues by: OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US Their certificates are issued to, for example: CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Contractors have certificates issued by: OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US Their certificates are issued to, for example: CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
I have the usual certificate mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) I also have a simple matching rule: <ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user: * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate) * X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
Any thoughts as to why the contractors' certificates never match? I assume it has something to do with the "(affiliate)" that appears in their CN.
Thanks, Shane Frasier
On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote:
Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything works great for users who happen to be "full" employees, but contractors' certificates never match.
"Full" employees have certificates issues by: OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US Their certificates are issued to, for example: CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Contractors have certificates issued by: OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US Their certificates are issued to, for example: CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
I have the usual certificate mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) I also have a simple matching rule: <ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user:
- X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
- X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ
- X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
- X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
Any thoughts as to why the contractors' certificates never match? I assume it has something to do with the "(affiliate)" that appears in their CN.
Hi,
in order to troubleshoot, you can have a look at the LDAP server access logs (in /var/log/dirsrv/slapd-XXX/access) and find the search operation that is triggered by the mapping. It will be a SEARCH with a filter containing (ipacertmapdata=...).
Check that the filter is consistent with what you would expect and manually try an equivalent search to see if it returns the expected user entry (with ldapsearch -b $BASE "<filter from the logs>").
More troubleshooting info also available in this blog: https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between-a-...
flo
Thanks, Shane Frasier _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Flo,
Thanks for the quick response! I have been following your helpful instructions, but we are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran sss_cache -E to clear the cache. After that I ran ipa certmap-match against his certificate. Somehow I still got a match with the correct user name (!), and I got the following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ifp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP Request [Account #15631]: New request. Flags [0x0001]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000): Searching 10.128.0.4:389 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040): Failed to retrieve users [1432158246][Malformed search filter]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000): releasing operation connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP Request [Account #15631]: Request handler finished [0]: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP Request [Account #15631]: Receiving request data. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP Request [Account #15631]: Request removed. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000): Dispatching.
Are you able to explain what is going on here? I don't understand how the certificate is still matching if the user has no certificate or certmap data.
Thanks for your help, Shane
Shane Frasier via FreeIPA-users wrote:
Hi Flo,
Thanks for the quick response! I have been following your helpful instructions, but we are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran sss_cache -E to clear the cache. After that I ran ipa certmap-match against his certificate. Somehow I still got a match with the correct user name (!), and I got the following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ifp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP Request [Account #15631]: New request. Flags [0x0001]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000): Searching 10.128.0.4:389 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040): Failed to retrieve users [1432158246][Malformed search filter]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000): releasing operation connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP Request [Account #15631]: Request handler finished [0]: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP Request [Account #15631]: Receiving request data. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP Request [Account #15631]: Request removed. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000): Dispatching.
Are you able to explain what is going on here? I don't understand how the certificate is still matching if the user has no certificate or certmap data.
I'll bet it's the parenthesis in the subject causing the bad search filter and failure to work.
rob
It is....try escaping them (.
David
-----Original Message----- From: Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Wednesday, July 15, 2020 11:54 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com; Shane Frasier maverick@maverickdolphin.com; Rob Crittenden rcritten@redhat.com Subject: [EXTERNAL] [Freeipa-users] Re: certmapdata issue
Shane Frasier via FreeIPA-users wrote:
Hi Flo,
Thanks for the quick response! I have been following your helpful instructions, but we are still baffled. Frankly, I am starting to doubt my sanity :)
I removed all certificate and certmap data from a contractor's user account, then ran sss_cache -E to clear the cache. After that I ran ipa certmap-match against his certificate. Somehow I still got a match with the correct user name (!), and I got the following output from /var/log/sssd/sssd_staging.cool.cyber.dhs.gov.log:
(2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ifp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_get_account_info_send] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=<base64_cert_data_redacted>] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): DP Request [Account #15631]: New request. Flags [0x0001]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sss_domain_get_state] (0x1000): Domain staging.cool.cyber.dhs.gov is Active (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_print_server] (0x2000): Searching 10.128.0.4:389 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [1432158246]: Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_get_users_done] (0x0040): Failed to retrieve users [1432158246][Malformed search filter]. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sdap_id_op_done] (0x4000): releasing operation connection (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request failed: 1432158246 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_done] (0x0400): DP Request [Account #15631]: Request handler finished [0]: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [_dp_req_recv] (0x0400): DP Request [Account #15631]: Receiving request data. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): DP Request [Account #15631]: Request removed. (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [dp_req_reply_std] (0x1000): DP Request [Account #15631]: Returning [Internal Error]: 3,1432158246,Malformed search filter (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2020-07-15 15:24:57): [be[staging.cool.cyber.dhs.gov]] [sbus_dispatch] (0x4000): Dispatching.
Are you able to explain what is going on here? I don't understand how the certificate is still matching if the user has no certificate or certmap data.
I'll bet it's the parenthesis in the subject causing the bad search filter and failure to work.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I tried escaping the parentheses in the user certificate mapping data, but it still fails. Did you mean to escape the parentheses inside the actual certificate? Or something else?
I have also noticed that ipa certmap-match does not seem to care very much if I run sss_cache -E. Is there another cache that I should also be invalidating, perhaps a cache associated with DBUS?
Thanks, Shane
If I manually escape the parentheses surrounding "affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
The problem is that FreeIPA is performing this query when it searches (the parentheses are not escaped):
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I don't know how to get FreeIPA to inject those escapes, and I have no control over the content of the certificates on the users' PIVs (smartcards). The smartcards are given to us by the DHS mothership :(
I hope this makes our issue a little clearer.
Shane
Shane Frasier via FreeIPA-users wrote:
If I manually escape the parentheses surrounding "affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
The problem is that FreeIPA is performing this query when it searches (the parentheses are not escaped):
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I don't know how to get FreeIPA to inject those escapes, and I have no control over the content of the certificates on the users' PIVs (smartcards). The smartcards are given to us by the DHS mothership :(
I hope this makes our issue a little clearer.
SSSD is what is making that query. They sometimes read this list but you may want to bring it up on their list as well to be sure they see it. Or ideally open a bug.
rob
Thanks for the suggestion Rob! I posted to the sssd-users mailing list and they responded. Turns out this is a known issue with an existing PR to fix it: * https://github.com/SSSD/sssd/issues/5135 * https://github.com/SSSD/sssd/pull/1036
I will have to configure FreeIPA to match against full certificates for now, and revert to using certmap data once that PR is merged.
Posting here just to close the loop, in case anyone else gets bitten by this bug and stumbles upon this exchange.
Thanks again to everyone for all the assistance!
Shane
Also, to be clear, I should mention that the certmap data is used in two different ways: 1. We perform an ipa certmap-match command from our VPN server to confirm that the client's certificate is valid 2. The certmap data is used by pkinit when the users kinit using their PIV (smartcard) credentials
freeipa-users@lists.fedorahosted.org