#1463 pki cli client-cert-request should support dir based auth
Closed: Fixed None Opened 5 years ago by dminnich.

We have some profiles setup for LDAP based auth and authz. These work great in the browser. It would be neat if these also worked from the pki cli utility.

Example:

pki -v -C ~/.pki.password -U 'https://ca01.pki.dev.int.devlab.redhat.com:8443/ca' client-cert-request CN=test1 --profile=caDirUserCert

You'd probably need new parameters for username and password.

Right now the pki cli can only do basic auth or cert based auth. We could enable profiles that do cert based auth in addition to our ldap based auth profiles but this still presents a single chicken and egg problem. If people wanted a quick automated CLI only environment. -- They would have to use a browser to get their client cert issued immediately using LDAP auth, or submit a client cert auth request from the CLI that requires agent approval and wait. Once they got their client cert they could then use that cert from the CLI to do the rest of their requests using cert based auth.

Having the pki command support passing dir based auth would be an awesome addition that would fix the above things.


Per CS/DS Meeting of 07/06/2015: 10.3 (critical)

From PKI TRAC #904 Unable to specify ldap username & password in xml request for UserDirEnrollment profile which was closed as a duplicate of this ticket:

After Enabling UserDirEnrollment Authentication Plugin , There is no xml tag to specify username and password in the xml request for caDirUserCert profile

Versions:

pki-ca-10.2.0-0.1.20140311T0344zgitb944d31.fc20.noarch
pki-tools-10.2.0-0.1.20140311T0344zgitb944d31.fc20.x86_64

Downlad the profile xml using the below command

$ pki -d /opt/rhqa_pki/certs_db -n "PKI Administrator for lab.eng.pnq.redhat.com" -c redhat123 ca-cert-request-profile-show caDirUserCert --output caDirUserCert.xml

Edit caDirUserCert.xml , i see the below details:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <ProfileID>caDirUserCert</ProfileID>
    <Renewal>false</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>keyGenInputImpl</ClassID>
        <Name>Key Generation</Name>
        <Attribute name="cert_request_type">
            <Value></Value>
            <Descriptor>
                <Syntax>keygen_request_type</Syntax>
                <Description>Key Generation Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value></Value>
            <Descriptor>
                <Syntax>keygen_request</Syntax>
                <Description>Key Generation Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

How do we specify the ldap username and password from the ldapbasedn configured for UserDirEnrollment?

Per CS/DS Meeting of 09/14/2015, moving back to 10.2.7 to be addressed sooner.

Fixed in master:

  • 6a1606ee52022e2abc023efc5be155f4fe76e84b
  • b1559af37ddb6c9dfeb25ae69cb220a0139005c9
  • 164f200c1406eb547e0989a55ce114dfc2dff511

Cherry-picked re-based patches from DOGTAG_10_2_RHEL_BRANCH into DOGTAG_10_2_6_BRANCH:

  • 23904bb3b148157ab6249ac4e62b7afb410a86f7
  • eb44234b5fba6c0047577529d3bd6fdb7c338fe1
  • 531f40aafd5a2359466abd2cb8782961daa14e65

Cherry-picked re-based patches from DOGTAG_10_2_RHEL_BRANCH into DOGTAG_10_2_BRANCH:

  • fe956dab8709e7c2bf892b7a87f5c170baedd679
  • 8a7fbb03f8317a881032e098b6360018878ac280
  • 249f975ca6a82ffed3a11af5275fdb595e7ee757

Additional changes in master:

  • 3292de07ed01f6230de34120bf9cd1b8d164610a

Replying to [comment:9 edewata]:

Additional changes in master:
* 3292de07ed01f6230de34120bf9cd1b8d164610a

Cherry-picked this patch to the following branches:

  • DOGTAG_10_2_BRANCH

    • b67a17f29a5a5312847c1188607a7fa7b33e034f
  • DOGTAG_10_2_6_BRANCH

    • 1c1b9a1069650a12394848520a1dfb4753f8be72
  • DOGTAG_10_2_RHEL_BRANCH

    • bc001c4bada21d7f47631b755d253fd34d861d83

Metadata Update from @dminnich:
- Issue assigned to edewata
- Issue set to the milestone: 10.2.6

3 years ago

Login to comment on this ticket.

Metadata