Hello,
I forgot to mention the LDAP implementation I am using - it is OUD (Oracle Unified
Directory). Object class "strongAuthenticationUser" was added to the users for
PKI based authentication. The mandatory attribute od this object class is
"userCertificate" or "userCertificate;binary" in which I would store
the value of the public key or the certificate.
Case 1. I stored the certificate in the userCertificate;binary LDAP attribute as this was
the default configuration
Case 2. I also tried to store the certificate as a value of the LDAP attribute
userCertificate and changed "ldap_user_certificate" to
"userCertificate" in SSSD configuration (commented in the SSSD configuration
bellow)
Both of the cases resulted in password based authentication, instead of PKI based
authentication.
Also in the log I saw that SSSD mapped userCertificate(;binary) value to userCertificate
parameter of the entry but I didn't see a derived public key in the logs.
I am using x509 base64 encoded value od the certificate (also I tried with pkcs#7 but the
result was the same)
# SSSD configuration at this moment: I am using only public key stored as a value of the
attribute "userCertificate" for authentication of the user which works fine -
but this way, there is no certificate shown to SSSD client, hence - no certificate
validation/verification mechanisms can be used (correct me if I am wrong)
[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam, autofs, ssh
reconnection_retries = 3
[nss]
reconnection_retries = 3
debug_level = 2
filter_users = root, oracle
filter_groups = root
[pam]
reconnection_retries = 3
debug_level = 2
[domain/LDAP]
id_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://<OUD_instance>:<LDAPs_port>
ldap_default_bind_dn = <directory_manager>
ldap_default_authtok = <password>
ldap_default_authtok_type = password
ldap_search_base = <suffix>
ldap_user_search_base = <users_branch,suffix>
ldap_group_search_base = <groups_branch,suffix>
ldap_access_filter = isMemberOf=<access_filter_group>
cache_credentials = true
enumerate = false
debug_level = 9
ldap_id_use_start_tls = false
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/sssd/cacerts/<CA_cert.pem>
ldap_tls_cacertdir = /etc/sssd/cacerts
ldap_user_name = employeeNumber
ldap_user_ssh_public_key = userCertificate
#ldap_user_certificate = userCertificate
# LDAP entry at this moment (only with public key value stored in
"userCertificate" attribute)
dn: uid=32000000001,<users_branch,suffix>
givenName: testUser7
objectClass: strongAuthenticationUser
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
uid: 32000000001
cn: 32000000001
sn: test
loginShell: /bin/bash
userPassword: {SSHA512}0QAWd8NQNpN5bVS/sS0CDjHzctpy54X/JflWRSzIk/zpgSEgm5IE003RX
v35iEyt2LfqaXd5HGAwYrCaRbM7ylrg0syFXrLU
homeDirectory: /ssh_users/32000000001
ou: <directoy_manager>
uidNumber: 1234567890
userCertificate: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCPZF7auTI3Tj/urnpX7YbG3jh
Qq4z0HcqW8JA4CKGrNOeBSbyh4H1/WqVR72zKzSu/2rRTG3679YMWy6hZBz7Of7tnQ6OBlmZmAxyFkk
UU1ZVRKFRyVWBzmT8YqOjetdaYEr4f9cjOV22EStPJCheZmyyMRMOtlTA32dQ7rWBLcjpkLFQZhInbn
H5JUEEuiVTKXZ5xDRzpLCVNx/VFyLxHgPjfv0mWOGp3tVCBRYnmW/82pOcvYGQtSJbsL9LyIsuJWVNz
JWQa2v4grNf3OCuWO6wIiPaJcnYNtvRtNHCtexPicJ7iaCmgjxgWsUKCyaVIFNn+STgR81zl59lrmfD
D
gidNumber: 9999
employeeNumber: <employee_number>
When using certificate only or certificate and public key stored in the LDAP entry, the
value of the certificate stored in the userCertificate;binary attribute is:
MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCC
sGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z
6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=
Thank you!
BR,
Hristina