On Wed, Jul 15, 2020 at 11:47 PM Shane Frasier <maverick(a)maverickdolphin.com>
wrote:
Hello,
I am using FreeIPA and I have users who authenticate into our environment
using their PIV (smartcard) certificates. Everything works great for users
who happen to be "full" employees, but contractors' certificates never
match. They authenticate in two ways:
* Via a call to ipa certmap-match for VPN access.
* Via kinit.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=JOHN J SMITH+UID=0123456789.DHS HQ,OU=People,OU=DHS HQ,OU=Department of
Homeland Security,O=U.S. Government,C=US
Contractors have certificates issued by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland
Security,O=U.S. Government,C=US
Their certificates are issued to, for example:
CN=MAX M MUSTERMANN (affiliate)+UID=0123456789.DHS HQ,OU=People,OU=DHS
HQ,OU=Department of Homeland Security,O=U.S. Government,C=US
Note the "(affiliate)" that appears in the contractors' certificates.
I have the usual certificate mapping rule:
(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
I also have a simple matching rule:
<ISSUER>O=U.S. Government
I currently have the following four certificate mapping data entries for
each user:
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate)+UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate),UID=0123456789.DHS HQ
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ+CN=MAX M MUSTERMANN (affiliate)
* X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS
HQ,OU=People,UID=0123456789.DHS HQ,CN=MAX M MUSTERMANN (affiliate)
After doIng some digging, it looks like sssd is performing this LDAP query:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of
Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN (affiliate),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
This query always fails. I believe this is because of the parentheses in
the subject name because if I manually escape the parentheses surrounding
"affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of
Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M
MUSTERMANN \(affiliate\),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I brought up this issue in the FreeIPA Users mailing list, and they
recommended that I post it here too since sssd is what is actually
generating these LDAP queries. How do I get FreeIPA/sssd to inject those
escapes into the LDAP query?
This is known issue:
https://github.com/SSSD/sssd/issues/5135
There is upstream PR to fix this:
https://github.com/SSSD/sssd/pull/1036
Thank you,
Shane
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...