Re: [389-users] Certificate based authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/11/2011 09:53 AM, Gerhardus Geldenhuis wrote:
Hi

I am looking at doing certifcate based authentication using 389. The company where I am working currently issues a certificate for every new starter and these certs are well managed with regards to sensible expiry dates etc. This cert is your key to the whole environment and a lot of the applications like jira/confluence authenticate you based on your certificate.

I have read through the documentation:

and it seems to suggest that it is nessesary to convert the user certificate and upload it into 389 db.

It is not necessary, but it is on by default.  This is the certmap.conf "verifyCert" setting.  It is "on" by default.  If you set it to "off" it will not attempt to compare the client cert with the one in the 389 db.

This seems a bit of a duplication. Is there anyway to "talk" to the certificate provider to ascertain the validity or not of a certificate and obtain any other required information, rather than having a copy of the certificate in the database. The documentation also does not say whether this is the public or private part of the certificate that needs to be uploaded. I am assuming it is the public part.

Yes, the public part.  389 uses NSS for crypto which supports CRL and OCSP for checking certificate revocation status.  You would typically want to periodically install a new CRL into 389 using crlutil in order to check revocation status of incoming client certs.


The second part of the question is how would this work with regards to ssh authentication. Somehow via pam and ssh the certificate must be passed on to 389 when the authentication happens. I am not sure this is currently possible with pam but would be interested in any suggestions to achieve something like this.

pam_pkcs11?  Note that ssh public keys are not the same as the public key part of an x509 certificate - you cannot mix and match them afaik.  What exactly are you trying to do?  Do ssh/pam authentication and have ssh retrieve the public key from LDAP?


Regards

--
Gerhardus Geldenhuis

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux