Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 14. Configuring certificate mapping if AD user entry contains no certificate or mapping data
This user story describes the steps necessary for enabling certificate mapping in IdM if the IdM deployment is in trust with Active Directory (AD), the user is stored in AD and the user entry in AD contains neither the whole certificate nor certificate mapping data.
14.1. Prerequisites
- The user does not have an account in IdM.
- 
						The user has an account in AD which contains neither the whole certificate nor the altSecurityIdentitiesattribute, the AD equivalent of the IdMcertmapdataattribute.
- The IdM administrator has done one of the following: - 
								Added the whole AD user certificate to the AD user’s user ID overridein IdM.
- Created a certificate mapping rule that maps to an alternative field in the certificate, such as Subject Alternative Name or the SID of the user.
 
- 
								Added the whole AD user certificate to the AD user’s 
14.2. Adding a certificate mapping rule in the IdM web UI if AD user entry contains no certificate or mapping data
- Log into the IdM web UI as an administrator.
- 
						Navigate to AuthenticationCertificate Identity Mapping RulesCertificate Identity Mapping Rules.
- Click - Add.- Figure 14.1. Adding a new certificate mapping rule in the IdM web UI 
- Enter the rule name.
- Enter the mapping rule. To have the whole certificate that is presented to IdM for authentication compared to the certificate stored in the user ID override entry of the AD user entry in IdM: - (userCertificate;binary={cert!bin})- (userCertificate;binary={cert!bin})- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- As the certificate also contains the user principal name as the SAN, or with the latest updates, the SID of the user in the SID extension of the certificate, you can also use these fields to map the certificate to the user. For example, if using the SID of the user, replace this mapping rule with - LDAPU1:(objectsid={sid}). For more information on certificate mapping, see the- sss-certmapman page on your system.
- Enter the matching rule. For example, to only allow certificates issued by the - AD-ROOT-CAof the- AD.EXAMPLE.COMdomain to authenticate:- <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com - <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the domain name. For example, to search for users in the - ad.example.comdomain:- Figure 14.2. Certificate mapping rule for a user with no certificate or mapping data stored in AD 
- 
						Click Add.
- The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD in the CLI: - systemctl restart sssd - # systemctl restart sssd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
14.3. Adding a certificate mapping rule in the IdM CLI if AD user entry contains no certificate or mapping data
- Obtain the administrator’s credentials: - kinit admin - # kinit admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the mapping rule and the matching rule the mapping rule is based on. To have the whole certificate that is presented for authentication compared to the certificate stored in the user ID override entry of the AD user entry in IdM, only allowing certificates issued by the - AD-ROOT-CAof the- AD.EXAMPLE.COMdomain to authenticate:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- As the certificate also contains the user principal name as the SAN, or with the latest updates, the SID of the user in the SID extension of the certificate, you can also use these fields to map the certificate to the user. For example, if using the SID of the user, replace this mapping rule with - LDAPU1:(objectsid={sid}). For more information on certificate mapping, see the- sss-certmapman page on your system.
- The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD: - systemctl restart sssd - # systemctl restart sssd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
14.4. Adding a certificate to an AD user’s ID override in the IdM web UI
- 
						Navigate to IdentityID ViewsDefault Trust View.
- Click - Add.- Figure 14.3. Adding a new user ID override in the IdM web UI 
- 
						In the User to overridefield, enterad_user@ad.example.com.
- Copy and paste the certificate of - ad_userinto the- Certificatefield.- Figure 14.4. Configuring the User ID override for an AD user 
- 
						Click Add.
Verification
Verify that the user and certificate are linked:
- Use the - sss_cacheutility to invalidate the record of- ad_user@ad.example.comin the SSSD cache and force a reload of the- ad_user@ad.example.cominformation:- sss_cache -u ad_user@ad.example.com - # sss_cache -u ad_user@ad.example.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - ipa certmap-matchcommand with the name of the file containing the certificate of the AD user:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
				The output confirms that you have certificate mapping data added to ad_user@ad.example.com and that a corresponding mapping rule defined in Adding a certificate mapping rule if the AD user entry contains no certificate or mapping data exists. This means that you can use any certificate that matches the defined certificate mapping data to authenticate as ad_user@ad.example.com.
			
14.5. Adding a certificate to an AD user’s ID override in the IdM CLI
- Obtain the administrator’s credentials: - kinit admin - # kinit admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Store the certificate blob in a new variable called - CERT:- CERT=$(openssl x509 -in /path/to/certificate -outform der|base64 -w0) - # CERT=$(openssl x509 -in /path/to/certificate -outform der|base64 -w0)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the certificate of - ad_user@ad.example.comto the user account using the- ipa idoverrideuser-add-certcommand:- ipa idoverrideuser-add-cert ad_user@ad.example.com --certificate $CERT - # ipa idoverrideuser-add-cert ad_user@ad.example.com --certificate $CERT- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
Verify that the user and certificate are linked:
- Use the - sss_cacheutility to invalidate the record of- ad_user@ad.example.comin the SSSD cache and force a reload of the- ad_user@ad.example.cominformation:- sss_cache -u ad_user@ad.example.com - # sss_cache -u ad_user@ad.example.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - ipa certmap-matchcommand with the name of the file containing the certificate of the AD user:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
				The output confirms that you have certificate mapping data added to ad_user@ad.example.com and that a corresponding mapping rule defined in Adding a certificate mapping rule if the AD user entry contains no certificate or mapping data exists. This means that you can use any certificate that matches the defined certificate mapping data to authenticate as ad_user@ad.example.com.
			
 
     
     
    