[Freeipa-users] Re: Automating host enrolment with PKINIT

Wed, 23 Oct 2024 04:40:20 -0700 

Am Wed, Oct 23, 2024 at 12:10:01PM +0100 schrieb Sam Morris via FreeIPA-users:
> Having read the "Automated enrollment of FreeIPA host" thread 
> <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/YSPY5UD3NCJHAGH57IVFO37B2R7G5UM3/#KSEAZQ6RKNM7DBJ4IP5BXGTEA7U4IUJM>
> earlier in the year, I've written up some notes that I made while
> implementing it on my domain, which might be of interest to other users:
> 
> https://robots.org.uk/FreeIPA#Automating_host_enrollment_with_PKINIT
> 
> I decided to create a more complex certificate mapping rule which matches on
> the certificate's Kerberos principal name as well as its DNS-ID. The
> advantage of this approach is that it prevents certificates without a
> Kerberos principal name from being used for PKINIT at all, and it also stops
> a host and the services running on it from using their certificates to
> authenticate as each other.
> 
> There's also some info about the details of the two different ways to add a
> Kerberos principal name to certificates, and examples of using OpenSSL to
> add the `szOID_NT_PRINCIPAL_NAME` type of otherName.
> 
> I noticed that sss-certmap(5) documents an extended form of the <SAN>
> component rule that is not present in krb5.conf(5) (e.g., <SAN:Principal>).
> I was wondering how these actually work - does krb5kdc KDC call into an SSSD
> plugin that implements these extra matching rule components?

Hi,

yes, FreeIPA implements a certauth plugin which uses libsss_certmap.so
to implement the mapping rules.

# ldd /usr/lib64/krb5/plugins/kdb/ipadb.so |grep sss
        libsss_certmap.so.0 => /lib64/libsss_certmap.so.0 (0x00007f7307271000)

and in krb5.conf there is

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }

HTH

bye,
Sumit

> 
> Thanks!
> 
> -- 
> Sam Morris <https://robots.org.uk/>
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
> 
> -- 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to