#2742 When certificate is added via user-add-cert, it cannot be looked up via org.freedesktop.sssd.infopipe.Users.FindByCertificate
Closed: Fixed None Opened 5 years ago by adelton.

I need to assign custom certificate to users.

So I do

# ipa user-add-cert --certificate="$(base64 client.der)" david


# ipa user-find --all --raw david | grep userCertificate

shows the certificate is there

userCertificate;binary: MIICrzCCAZeg[... truncated ...]EeI5/ug==

Yet when I do

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )"

I get

Error org.freedesktop.sssd.Error.NotFound: User not found

This is with ipa-server-4.2.0-3.el7.x86_64 and sssd-1.13.0-7.el7.x86_64.

Things work when I add the certificate using ldapmodify with

changetype: modify
add: usercertificate
usercertificate:< file:client.der

The difference is that the attribute is {{{userCertificate}}}, not {{{userCertificate;binary}}}.

You should be able to fix this by setting "ldap_user_certificate" to "userCertificate;binary" in the domain section in sssd.conf.

The "userCertificate;binary" name is required by related internet standards (see https://tools.ietf.org/html/rfc4523#section-4.1 or https://tools.ietf.org/html/draft-ietf-pkix-ldap-schema-02#section-3.1), so it should be the default value for "ldap_user_certificate", or SSSD could include attribute subtype matches from LDAP search results, so that "userCertificate;binary" values are included when searching for "userCertificate".

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.2

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1
patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @adelton:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3783

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.