Hello,
I forgot to mention the LDAP implementation I am using - it is OUD (Oracle Unified Directory). Object class "strongAuthenticationUser" was added to the users for PKI based authentication. The mandatory attribute od this object class is "userCertificate" or "userCertificate;binary" in which I would store the value of the public key or the certificate. Case 1. I stored the certificate in the userCertificate;binary LDAP attribute as this was the default configuration Case 2. I also tried to store the certificate as a value of the LDAP attribute userCertificate and changed "ldap_user_certificate" to "userCertificate" in SSSD configuration (commented in the SSSD configuration bellow) Both of the cases resulted in password based authentication, instead of PKI based authentication. Also in the log I saw that SSSD mapped userCertificate(;binary) value to userCertificate parameter of the entry but I didn't see a derived public key in the logs. I am using x509 base64 encoded value od the certificate (also I tried with pkcs#7 but the result was the same)
# SSSD configuration at this moment: I am using only public key stored as a value of the attribute "userCertificate" for authentication of the user which works fine - but this way, there is no certificate shown to SSSD client, hence - no certificate validation/verification mechanisms can be used (correct me if I am wrong) [sssd] config_file_version = 2 domains = LDAP services = nss, pam, autofs, ssh reconnection_retries = 3
[nss] reconnection_retries = 3 debug_level = 2 filter_users = root, oracle filter_groups = root
[pam] reconnection_retries = 3 debug_level = 2
[domain/LDAP] id_provider = ldap access_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://<OUD_instance>:<LDAPs_port> ldap_default_bind_dn = <directory_manager> ldap_default_authtok = <password> ldap_default_authtok_type = password ldap_search_base = <suffix> ldap_user_search_base = <users_branch,suffix> ldap_group_search_base = <groups_branch,suffix> ldap_access_filter = isMemberOf=<access_filter_group> cache_credentials = true enumerate = false debug_level = 9 ldap_id_use_start_tls = false ldap_tls_reqcert = demand ldap_tls_cacert = /etc/sssd/cacerts/<CA_cert.pem> ldap_tls_cacertdir = /etc/sssd/cacerts ldap_user_name = employeeNumber ldap_user_ssh_public_key = userCertificate #ldap_user_certificate = userCertificate
# LDAP entry at this moment (only with public key value stored in "userCertificate" attribute) dn: uid=32000000001,<users_branch,suffix> givenName: testUser7 objectClass: strongAuthenticationUser objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: top uid: 32000000001 cn: 32000000001 sn: test loginShell: /bin/bash userPassword: {SSHA512}0QAWd8NQNpN5bVS/sS0CDjHzctpy54X/JflWRSzIk/zpgSEgm5IE003RX v35iEyt2LfqaXd5HGAwYrCaRbM7ylrg0syFXrLU homeDirectory: /ssh_users/32000000001 ou: <directoy_manager> uidNumber: 1234567890 userCertificate: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCPZF7auTI3Tj/urnpX7YbG3jh Qq4z0HcqW8JA4CKGrNOeBSbyh4H1/WqVR72zKzSu/2rRTG3679YMWy6hZBz7Of7tnQ6OBlmZmAxyFkk UU1ZVRKFRyVWBzmT8YqOjetdaYEr4f9cjOV22EStPJCheZmyyMRMOtlTA32dQ7rWBLcjpkLFQZhInbn H5JUEEuiVTKXZ5xDRzpLCVNx/VFyLxHgPjfv0mWOGp3tVCBRYnmW/82pOcvYGQtSJbsL9LyIsuJWVNz JWQa2v4grNf3OCuWO6wIiPaJcnYNtvRtNHCtexPicJ7iaCmgjxgWsUKCyaVIFNn+STgR81zl59lrmfD D gidNumber: 9999 employeeNumber: <employee_number>
When using certificate only or certificate and public key stored in the LDAP entry, the value of the certificate stored in the userCertificate;binary attribute is: MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCC sGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z 6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=
Thank you! BR, Hristina