Hi all,
Having read all the manuals and snippets I can find, I have come up with the following certmap.conf file:
certmap default default
default:verifycert on
default:CmapLdapAttr nsCertSubjectDN
What I want the above to do is this:
- Look up the subject of the client certificate as the DN in the nsCertSubjectDN attribute.
- Also do an exact match of the certificate in the userCertificate attribute (verifycert on).
- Do the search across all contexts.
Does the certmap above do this?
What is not working for me is the lookup:
[18/Nov/2020:00:10:33.787682853 +0200] conn=1269 TLS1.3 128-bit AES-GCM; client serialNumber=365[snip]a14,CN=host.example.com; issuer CN=X,O=Y,C=UK
[18/Nov/2020:00:10:33.888476161 +0200] conn=1269 TLS1.3 failed to map client certificate to LDAP DN (No such object)
Looking at the source code, the above message is logged if we have a certificate, but we didn't manage to map a DN:
https://github.com/389ds/389-ds-base/blob/f9638bbd8739659057249ac43b914d18716996b5/ldap/servers/slapd/auth.c#L501
Something missing from the documentation is the DN format expected by the nsCertSubjectDN attribute.
Is the format CN=X,serialNumber=Y as reported by openssl x509, or is it serialNumber=Y,CN=X as reported by the log message above?
Regards,
Graham
—
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment