Re: How to create a user with certificate with lib389

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

@William Brown
 
Please check the attached test case .

I want to put escape_bytes function to lib389 utils.py file .


Regards
Anuj Borah


On Mon, Jun 10, 2019 at 2:18 PM William Brown <wbrown@xxxxxxx> wrote:


> On 9 Jun 2019, at 03:40, Anuj Borah <aborah@xxxxxxxxxx> wrote:
>
> @William Brown
>
> Yes, it does.
>
> Currently i am porting this bug  https://bugzilla.redhat.com/show_bug.cgi?id=170520
>
> I think with help of this script it will be impossible to port it .

I'm not authorised to view that bug. :)

I think youll need to describe, exactly, in sequence the order of events you want to test so I can advise properly.

>
> Do you have any advice .
>
> Regards
> Anuj Borah
>
>
> On Fri, Jun 7, 2019 at 2:47 PM William Brown <wbrown@xxxxxxx> wrote:
> I haven't read the link but maybe there is some confusion about TLS binding here. You do the create_rsa_user and that only set's up the certificates.
>
> > On 4 Jun 2019, at 17:51, Anuj Borah <aborah@xxxxxxxxxx> wrote:
> >
> > @William Brown
> > 
> > Thanks , I am doing the same . Trying to follow it . (i have make this script 99% pass)
> > 
> > But its way too old . It uses some like :
> >
> > standalone.nss_ssl.create_rsa_user('testuser')   ---- not valid (NssSsl(standalone).create_rsa_user('testuser'))
> >
> > standalone.nss_ssl.get_rsa_user('testuser')   ------ not valid (NssSsl(standalone).get_rsa_user('testuser'))
>
> IIRC this syntax is valid, but maybe the linking type was removed.
>
> >
> > standalone.openConnection ---  I dont know what is it . May be bind.
>
> Yes, i think this is bind now. If you grep for create_rsa_user in the tests you may find another example.
>
> >
> > And Most importantly, after i have make this script 99% pass . I am not able to see the usercertificate field in the test user that was created during the test . while i do _unsafe_raw_entry()
>
> Because you don't need it. The certificate's cn is mapped to the cn in the directory, and then because the certificate was issued be the ca, it "confirms" the users identity. No userCertificate attribute required.
>
> There is a configuration that DOES require the certificate to not only be signed, but also in userCertificate for binary matching, but this is a configuration option, not the default. I seem to recall helping document all this with Marc, so it should be in the latest RHDS documentation. Generally though, the userCertificate attribute today would be used to allow a client like SSSD to read the userCertificate to allow smartCard authentication to a workstation.
>
> Does that help a bit?
>
> >
> > Also mind changing the lib389 doc https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls . Its the same test case given there , which is not relevant now .
> >
> > Regards
> > Anuj Borah
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jun 4, 2019 at 9:08 PM William Brown <wbrown@xxxxxxx> wrote:
> > I'm currently traveling at the moment, but I can have a look later to update this to work on latest lib389 etc.
> >
> > You can read it and use it as an example though, even if it doesn't pass ...
> >
> >
> >
> >
> > > On 4 Jun 2019, at 16:32, Anuj Borah <aborah@xxxxxxxxxx> wrote:
> > >
> > > @William Brown
> > > 
> > > This test script does not pass . Its too old .
> > >
> > > Regards
> > > Anuj Borah
> > >
> > > On Tue, Jun 4, 2019 at 8:00 PM William Brown <wbrown@xxxxxxx> wrote:
> > > Have a look at this test case if you want to do usercertificate generation and authentication :)
> > >
> > > https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py
> > >
> > > > On 4 Jun 2019, at 14:31, Anuj Borah <aborah@xxxxxxxxxx> wrote:
> > > >
> > > > Hi all,
> > > >
> > > > Let say i want to create a user with userCertificate fileld. My user will look like bellow.
> > > >
> > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
> > > > users_people.create(properties={
> > > >         'uid': 'certUser2',
> > > >         'cn': 'CUser2',
> > > >         'sn': 'CertificateUser2',
> > > >         'givenName': 'CU2',
> > > >         'description': "This is certUser2's description",
> > > >         'mail': 'certUser1@xxxxxxxxxxx',
> > > >         'userPassword': PW_DM,
> > > >         'userCertificate': 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==',
> > > >         'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}',
> > > >         'homeDirectory': '/home/' + 'certUser2',
> > > >         'uidNumber': '1000',
> > > >         'gidNumber': '2000'
> > > >     })
> > > >
> > > > Here i have put userCertificate field manually (which i dont want to do). But how can i achieve this without putting userCertificate field manually . Like create a user and userCertificate field will be auto field with auto generated certificates . 
> > > >
> > > > Regards
> > > > Anuj Borah
> > > > _______________________________________________
> > > > 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > —
> > > Sincerely,
> > >
> > > William Brown
> > >
> > > Senior Software Engineer, 389 Directory Server
> > > SUSE Labs
> > > _______________________________________________
> > > 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
> >
> > —
> > Sincerely,
> >
> > William Brown
> >
> > Senior Software Engineer, 389 Directory Server
> > SUSE Labs
> >
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
>


Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs

# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2017 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
#https://github.com/cannatag/ldap3/blob/master/ldap3/utils/conv.py
#https://pagure.io/389-ds-base/issue/50443

import ldap

from lib389.topologies import topology_st
from lib389.utils import logging
from lib389.idm.user import UserAccounts
from lib389._constants import DEFAULT_SUFFIX, SECUREPORT_STANDALONE1
from lib389.nss_ssl import NssSsl
from lib389.config import CertmapLegacy
import subprocess
from lib389.idm.account import Accounts

log = logging.getLogger(__name__)

def escape_bytes(bytes_value):
    """ Convert a byte sequence to a properly escaped for LDAP (format BACKSLASH HEX HEX) string"""
    if bytes_value:
        if str is not bytes:  # Python 3
            if isinstance(bytes_value, str):
                bytes_value = bytearray(bytes_value, encoding='utf-8')
            escaped = '\\'.join([('%02x' % int(b)) for b in bytes_value])
        else:  # Python 2
            if isinstance(bytes_value, unicode):
                bytes_value = bytes_value.encode('utf-8')
            escaped = '\\'.join([('%02x' % ord(b)) for b in bytes_value])
    else:
        escaped = ''

    return ('\\' + escaped) if escaped else ''

def test_tls_external(topology_st):
    standalone = topology_st.standalone
    standalone.enable_tls()
    cmd = 'openssl x509 -outform der -in /etc/dirsrv/ssca/ca.crt -out /etc/dirsrv/ssca/ca.der'.split(' ')
    subprocess.check_output(cmd)
    cert = open('/etc/dirsrv/ssca/ca.der', 'rb')
    users = UserAccounts(standalone, DEFAULT_SUFFIX)
    crt = cert.read()
    user_properties = {
        'uid': 'testuser',
        'cn' : 'testuser',
        'sn' : 'user',
        'uidNumber' : '1000',
        'gidNumber' : '2000',
        'homeDirectory' : '/home/testuser',
        'userPassword' : 'password',
        'userCertificate' : crt
    }
    testuser = users.create(properties=user_properties)
    Accounts(standalone, DEFAULT_SUFFIX).filter(f"(userCertificate={escape_bytes(crt)})")

_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux