#2742 When certificate is added via user-add-cert, it cannot be looked up via org.freedesktop.sssd.infopipe.Users.FindByCertificate
Closed: Fixed None Opened 3 years ago by adelton.

I need to assign custom certificate to users.

So I do

# ipa user-add-cert --certificate="$(base64 client.der)" david


# ipa user-find --all --raw david | grep userCertificate

shows the certificate is there

userCertificate;binary: MIICrzCCAZeg[... truncated ...]EeI5/ug==

Yet when I do

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )"

I get

Error org.freedesktop.sssd.Error.NotFound: User not found

This is with ipa-server-4.2.0-3.el7.x86_64 and sssd-1.13.0-7.el7.x86_64.

Things work when I add the certificate using ldapmodify with

changetype: modify
add: usercertificate
usercertificate:< file:client.der

The difference is that the attribute is {{{userCertificate}}}, not {{{userCertificate;binary}}}.

You should be able to fix this by setting "ldap_user_certificate" to "userCertificate;binary" in the domain section in sssd.conf.

The "userCertificate;binary" name is required by related internet standards (see https://tools.ietf.org/html/rfc4523#section-4.1 or https://tools.ietf.org/html/draft-ietf-pkix-ldap-schema-02#section-3.1), so it should be the default value for "ldap_user_certificate", or SSSD could include attribute subtype matches from LDAP search results, so that "userCertificate;binary" values are included when searching for "userCertificate".

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.2

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1
patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @adelton:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.