Inicio
Productos
Red Hat Enterprise Linux
10
Managing certificates in IdM
Chapter 13. Configuring certificate mapping if AD is configured to map user certificates to user accounts

Este contenido no está disponible en el idioma seleccionado.

Chapter 13. Configuring certificate mapping if AD is configured to map user certificates to user accounts

You can enable certificate mapping in IdM if the IdM deployment is in a trust with Active Directory (AD), the user is stored in AD, and the user entry in AD contains certificate mapping data.

13.1. Prerequisites
Copiar enlace

The user does not have an account in IdM.
The user has an account in AD which contains the altSecurityIdentities attribute, the AD equivalent of the IdM certmapdata attribute.
The IdM administrator has access to data on which the IdM certificate mapping rule can be based.

13.2. Adding a certificate mapping rule in the IdM web UI if AD is configured to map user certificates to user accounts
Copiar enlace

The IdM Web UI enables administrators to create rules that map presented certificates to the altSecurityIdentities attribute in Active Directory. Configure the rule to extract specific Issuer and Subject information for authentication against the trusted domain.

Procedure

Log into the IdM web UI as an administrator.
Navigate to Authentication Certificate Identity Mapping Rules Certificate Identity Mapping Rules.
Click Add.
Adding a new certificate mapping rule in the IdM web UI image::new-certmaprule-add.png[Screenshot of the IdM Web UI displaying the "Certificate Identity Mapping Rules" sub-tab from the Authentication tab. The "Add" button at the right of the page is highlighted.]
Enter the rule name.
Enter the mapping rule. For example, to make AD DC search for the Issuer and Subject entries in any certificate presented, and base its decision to authenticate or not on the information found in these two entries of the presented certificate:
```
(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
```
```
(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
```
Copy to Clipboard Toggle word wrap
Enter the matching rule. For example, to only allow certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain to authenticate users to IdM:
```
<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
```
```
<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
```
Copy to Clipboard Toggle word wrap
Enter the domain:
```
ad.example.com
```
```
ad.example.com
```
Copy to Clipboard Toggle word wrap
Certificate mapping rule if AD is configured for mapping image::certmaprule-add-details-ad-map.png[Screenshot of the "Add Certificate Identity Mapping Rule" pop-up window with the following fields filled in: Rule name (which is required) - Mapping rule - Matching rule. The "Priority" field is blank and there is also an "Add" button next to the "Domain name" label.]
Click Add.
The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD in the CLI::
```
systemctl restart sssd
```
```
# systemctl restart sssd
```
Copy to Clipboard Toggle word wrap

13.3. Adding a certificate mapping rule in the IdM CLI if AD is configured to map user certificates to user accounts
Copiar enlace

You can use the IdM CLI to add the required certificate mapping rule to complete the authentication linkage with Active Directory (AD). With this rule, IdM can correctly map AD user certificates to their IdM accounts.

Procedure

Obtain the administrator’s credentials:
```
kinit admin
```
```
# kinit admin
```
Copy to Clipboard Toggle word wrap

Enter the mapping rule and the matching rule the mapping rule is based on. For example, to make AD search for the Issuer and Subject entries in any certificate presented, and only allow certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain:

ipa certmaprule-add ad_configured_for_mapping_rule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})' --domain=ad.example.com

# ipa certmaprule-add ad_configured_for_mapping_rule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})' --domain=ad.example.com

Copy to Clipboard

Toggle word wrap

-------------------------------------------------------
Added Certificate Identity Mapping Rule "ad_configured_for_mapping_rule"
-------------------------------------------------------
  Rule name: ad_configured_for_mapping_rule
  Mapping rule: (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
  Domain name: ad.example.com
  Enabled: TRUE

-------------------------------------------------------
Added Certificate Identity Mapping Rule "ad_configured_for_mapping_rule"
-------------------------------------------------------
  Rule name: ad_configured_for_mapping_rule
  Mapping rule: (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
  Domain name: ad.example.com
  Enabled: TRUE

Copy to Clipboard

Toggle word wrap

The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD:
```
systemctl restart sssd
```
```
# systemctl restart sssd
```
Copy to Clipboard Toggle word wrap

13.4. Checking certificate mapping data on the AD side
Copiar enlace

The altSecurityIdentities attribute is the Active Directory (AD) equivalent of certmapdata user attribute in IdM. When configuring certificate mapping in IdM in the scenario when a trusted AD domain is configured to map user certificates to user accounts, the IdM system administrator needs to check that the altSecurityIdentities attribute is set correctly in the user entries in AD.

Prerequisites

The user account must have user administration access.

Procedure

To check that AD contains the right information for the user stored in AD, use the ldapsearch command. For example, enter the command below to check with the adserver.ad.example.com server that the following conditions apply:

The altSecurityIdentities attribute is set in the user entry of ad_user.

The matchrule stipulates that the following conditions apply:

The certificate that ad_user uses to authenticate to AD was issued by AD-ROOT-CA of the ad.example.com domain.

The subject is <S>DC=com,DC=example,DC=ad,CN=Users,CN=ad_user:

ldapsearch -o ldif-wrap=no -LLL -h adserver.ad.example.com \
-p 389 -D cn=Administrator,cn=users,dc=ad,dc=example,dc=com \
-W -b cn=users,dc=ad,dc=example,dc=com "(cn=ad_user)" \
altSecurityIdentities

$ ldapsearch -o ldif-wrap=no -LLL -h adserver.ad.example.com \
-p 389 -D cn=Administrator,cn=users,dc=ad,dc=example,dc=com \
-W -b cn=users,dc=ad,dc=example,dc=com "(cn=ad_user)" \
altSecurityIdentities

Copy to Clipboard

Toggle word wrap

Enter LDAP Password:
dn: CN=ad_user,CN=Users,DC=ad,DC=example,DC=com
altSecurityIdentities: X509:<I>DC=com,DC=example,DC=ad,CN=AD-ROOT-CA<S>DC=com,DC=example,DC=ad,CN=Users,CN=ad_user

Enter LDAP Password:
dn: CN=ad_user,CN=Users,DC=ad,DC=example,DC=com
altSecurityIdentities: X509:<I>DC=com,DC=example,DC=ad,CN=AD-ROOT-CA<S>DC=com,DC=example,DC=ad,CN=Users,CN=ad_user

Copy to Clipboard

Toggle word wrap

Este contenido no está disponible en el idioma seleccionado.

Chapter 13. Configuring certificate mapping if AD is configured to map user certificates to user accounts

13.1. Prerequisites
Copiar enlace

13.2. Adding a certificate mapping rule in the IdM web UI if AD is configured to map user certificates to user accounts
Copiar enlace

13.3. Adding a certificate mapping rule in the IdM CLI if AD is configured to map user certificates to user accounts
Copiar enlace

13.4. Checking certificate mapping data on the AD side
Copiar enlace

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Este contenido no está disponible en el idioma seleccionado.

Chapter 13. Configuring certificate mapping if AD is configured to map user certificates to user accounts

13.1. PrerequisitesCopiar enlaceEnlace copiado en el portapapeles!

13.2. Adding a certificate mapping rule in the IdM web UI if AD is configured to map user certificates to user accountsCopiar enlaceEnlace copiado en el portapapeles!

13.3. Adding a certificate mapping rule in the IdM CLI if AD is configured to map user certificates to user accountsCopiar enlaceEnlace copiado en el portapapeles!

13.4. Checking certificate mapping data on the AD sideCopiar enlaceEnlace copiado en el portapapeles!

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

13.1. Prerequisites
Copiar enlace

13.2. Adding a certificate mapping rule in the IdM web UI if AD is configured to map user certificates to user accounts
Copiar enlace

13.3. Adding a certificate mapping rule in the IdM CLI if AD is configured to map user certificates to user accounts
Copiar enlace

13.4. Checking certificate mapping data on the AD side
Copiar enlace