Issue #7912: IPA Login with Certificate should work OOB - freeipa

freeipa

#7912 IPA Login with Certificate should work OOB

Closed: wontfix 5 years ago by abbra. Opened 5 years ago by donnyd.

Issue

The IPA webui should be able to login with user generated certs without having to run the scripts to enable smartcard logins. This should work by default

Steps to Reproduce

Install ipa
generate user cert
attempt to login to the webui via "Login with certificate"

Actual behaviour

[lookup_identity:error] [pid 854:tid 140063245596416] [client x.x.x.x:56358] lookup_user_by_certificate failed [dbus_connection_send_with_reply_and_block(org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate)]: [Permission denied]

the apache user is denied by sssd, the authentication cannot continue

Expected behaviour

If the login prompt offers to login with a cert then it should work. I would think the two options would be to just configure cert logins by default, or hide that prompt unless the system is configured for it.

In sssd the apache user should be enabled by default if the login prompts for "Login with Certificate" are present in the webui. The ipa-advise scripts for smartcard login set this value, but they aren't run by default.
/etc/sssd/sssd.conf
...
[ifps]
allowed_uids = ipaapi, root, apache
....

additionally you must run
ipa service-mod --ok-to-auth-as-delegate=True HTTP/$(hostname)

and then restart both services
systemctl restart sssd httpd

and presto, it works with the built-in certs

Version/Release/Distribution

freeipa-server-4.7.2-1.1.fc29.x86_64
freeipa-client-4.7.2-1.1.fc29.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.21-1.fc29.x86_64
pki-ca-10.6.9-1.fc29.noarch
krb5-server-1.16.1-25.fc29.x86_64

abbra commented 5 years ago

There are multiple ways how smart card configuration could be customized. This is one of reasons it is not enabled by default and you need to run a script generated by ipa-advise. Specifically, one needs to set up CAs required for accepting smart card certificates as those aren't always the ones issued by IPA CA.

For this and other reasons it is enabled through a separate step. It is not going to be changed and is already documented that an advise script needs to be created. This, closing this ticket as won't fix

Metadata Update from @abbra:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @abbra:
- Issue status updated to: Open (was: Closed)

5 years ago

Metadata Update from @abbra:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

abbra commented 5 years ago

Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-web-ui-auth

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7912 IPA Login with Certificate should work OOB Closed: wontfix 5 years ago by abbra. Opened 5 years ago by donnyd.

Issue

Steps to Reproduce

Actual behaviour

Expected behaviour

Version/Release/Distribution

Metadata

#7912 IPA Login with Certificate should work OOB

Closed: wontfix 5 years ago by abbra. Opened 5 years ago by donnyd.