-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new Active Directory related certificate mapping templates #6403
Labels
Comments
Bugzilla Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2087247 |
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Read the serial number of the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Read the subject key id from the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Check if the SID extension is available, read the SID and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
This patch adds a helper function to format hexadecimal strings of binary data. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
This patch adds the new LDAPU1 mapping rule templates to the sss-certmap man page. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Read the serial number of the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Read the subject key id from the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Check if the SID extension is available, read the SID and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
This patch adds a helper function to format hexadecimal strings of binary data. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Oct 25, 2022
This patch adds the new LDAPU1 mapping rule templates to the sss-certmap man page. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
Read the serial number of the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
Read the subject key id from the certificate and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
Check if the SID extension is available, read the SID and make it available. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
This patch adds a helper function to format hexadecimal strings of binary data. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: SSSD#6403
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Nov 9, 2022
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Dec 2, 2022
The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: SSSD#6403 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 11483f1)
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Dec 2, 2022
Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: SSSD#6403 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 0a90610)
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Dec 2, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: SSSD#6403 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 1303c62)
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Dec 2, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: SSSD#6403 (cherry picked from commit 1303c62)
alexey-tikhonov
pushed a commit
that referenced
this issue
Dec 2, 2022
The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: #6403 (cherry picked from commit 11483f1) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>
alexey-tikhonov
pushed a commit
that referenced
this issue
Dec 2, 2022
Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: #6403 (cherry picked from commit 0a90610) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>
alexey-tikhonov
pushed a commit
that referenced
this issue
Dec 2, 2022
Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: #6403 (cherry picked from commit 1303c62) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Pushed PR: #6467
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of problem:
New and updates versions of Active Directory will deprecate some of the existing certificate mapping schemes and will in future only allow some of the existing or new mapping. See https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 for details.
Although the certificate mapping on the AD side is not strictly related to what is required on the Active Directory side it would be convenient to use the same mappings.
For this SSSD's libsss_certmap should get new mapping templates for the altSecurityIdentities options:
<SR>
<SKI>
I think
<SHA1-PUBKEY>
can be skipped because of SHA1.Additionally Microsoft's new SID extension should be supported so that libsss_certmap can extract the SID form the certificate and use it in search filters. A split into domain-SID and RID might be needed as well.
The text was updated successfully, but these errors were encountered: