Hello,
I am using FreeIPA and I have users who authenticate into our environment using their PIV (smartcard) certificates. Everything works great for users who happen to be "full" employees, but contractors' certificates never match. They authenticate in two ways:
* Via a call to ipa certmap-match for VPN access.
* Via kinit.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Note the "(affiliate)" that appears in the contractors' certificates.
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for each user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
After doIng some digging, it looks like sssd is performing this LDAP query:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN (affiliate),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
This query always fails. I believe this is because of the parentheses in the subject name because if I manually escape the parentheses surrounding "affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN \(affiliate\),UID=0123456789.DHS HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I brought up this issue in the FreeIPA Users mailing list, and they recommended that I post it here too since sssd is what is actually generating these LDAP queries. How do I get FreeIPA/sssd to inject those escapes into the LDAP query?
Thank you,
Shane
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org