Chapter 11. Configuring certificate mapping for users stored in IdM

Procedure

1. Log in to the IdM web UI as an administrator.
2. Navigate to Authentication Certificate Identity Mapping Rules Certificate Identity Mapping Rules.

3. Click Add.

   Adding a new certificate mapping rule in the IdM web UI image::new-certmaprule-add.png[Screenshot of the IdM Web UI displaying the "Certificate Identity Mapping Rules" sub-tab from the Authentication tab. The "Add" button at the right of the page is highlighted.]

4. Enter the rule name.

5. Enter the mapping rule. For example, to make IdM search for the Issuer and Subject entries in any certificate presented to them, and base its decision to authenticate or not on the information found in these two entries of the presented certificate:

   (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})

6. Enter the matching rule. For example, to only allow certificates issued by the Smart Card CA of the EXAMPLE.ORG organization to authenticate users to IdM:

   <ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG

   Entering the details for a certificate mapping rule in the IdM web UI image::certmaprule-add-details1.png[Screenshot of the "Add Certificate Identity Mapping Rule" pop-up window with the following fields filled in: Rule name (which is required) - Mapping rule - Matching rule. The Priority field is blank and there is also an Add button next to the Domain name label.]

7. Click Add at the bottom of the dialog box to add the rule and close the box.

8. The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD:

   # systemctl restart sssd

   Now you have a certificate mapping rule set up that compares the type of data specified in the mapping rule that it finds on a smart card certificate with the certificate mapping data in your IdM user entries. Once it finds a match, it authenticates the matching user.

Procedure

1. Obtain the administrator’s credentials:

   # kinit admin

2. Enter the mapping rule and the matching rule the mapping rule is based on. For example, to make IdM search for the Issuer and Subject entries in any certificate presented, and base its decision to authenticate or not on the information found in these two entries of the presented certificate, recognizing only certificates issued by the Smart Card CA of the EXAMPLE.ORG organization:

   # ipa certmaprule-add rule_name --matchrule '<ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG' --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'

   -------------------------------------------------------
   Added Certificate Identity Mapping Rule "rule_name"
   -------------------------------------------------------
     Rule name: rule_name
     Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
     Matching rule: <ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG
     Enabled: TRUE

3. The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD:

   # systemctl restart sssd

   Now you have a certificate mapping rule set up that compares the type of data specified in the mapping rule that it finds on a smart card certificate with the certificate mapping data in your IdM user entries. Once it finds a match, it authenticates the matching user.

Procedure

1. Log into the IdM web UI as an administrator.
2. Navigate to Users Active users idm_user.
3. Find the Certificate mapping data option and click Add.

4. Choose one of the following options:

   • If you have the certificate of idm_user:

     1. On the command line, display the certificate using the cat utility or a text editor:

        [root@server ~]# cat idm_user_certificate.pem

        -----BEGIN CERTIFICATE-----
        MIIFFTCCA/2gAwIBAgIBEjANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9JRE0u
        RVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
        ODA5MDIxODE1MzlaFw0yMDA5MDIxODE1MzlaMCwxGDAWBgNVBAoMD0lETS5FWEFN
        [...output truncated...]

     2. Copy the certificate.

     3. In the IdM web UI, click Add next to Certificate and paste the certificate into the window that opens up.

        Adding a user’s certificate mapping data: certificate image::user-add-cert.png[Screenshot of a page displaying settings for the user "demouser" with an Identity Settings column on the left with entries such as Job Title - First name - Last name - Full name - Display name. The "Account Settings" column is on the right with entries such as User login - Password - UID - GID. The "Add" button for the "Certificates" entry is highlighted.]

        • If you do not have the certificate of idm_user at your disposal but know the Issuer and the Subject of the certificate, check the radio button of Issuer and subject and enter the values in the two respective boxes.

        Adding a user’s certificate mapping data: issuer and subject image::user-add-certdata.png[Screenshot of the "Add Certificate Mapping Data" pop-up window with two radial button options: "Certificate mapping data" and "Issuer and subject." "Issuer and subject" is selected and its two fields (Issuer and Subject) have been filled out.]

5. Click Add.

1. Use the sss_cache utility to invalidate the record of idm_user in the SSSD cache and force a reload of the idm_user information:

   # sss_cache -u idm_user

2. Run the ipa certmap-match command with the name of the file containing the certificate of the IdM user:

   # ipa certmap-match idm_user_cert.pem

   --------------
   1 user matched
   --------------
    Domain: IDM.EXAMPLE.COM
    User logins: idm_user
   ----------------------------
   Number of entries returned 1
   ----------------------------

   The output confirms that now you have certificate mapping data added to idm_user and that a corresponding mapping rule exists. This means that you can use any certificate that matches the defined certificate mapping data to authenticate as idm_user.

Procedure

1. Obtain the administrator’s credentials:

   # kinit admin

2. Choose one of the following options:

   • If you have the certificate of idm_user, add the certificate to the user account using the ipa user-add-cert command:

     # CERT=$(openssl x509 -in idm_user_cert.pem -outform der|base64 -w0)

     # ipa user-add-certmapdata idm_user --certificate $CERT

   • If you do not have the certificate of idm_user but know the Issuer and the Subject of the user’s certificate:

     # ipa user-add-certmapdata idm_user --subject "O=EXAMPLE.ORG,CN=test" --issuer "CN=Smart Card CA,O=EXAMPLE.ORG"

     --------------------------------------------
     Added certificate mappings to user "idm_user"
     --------------------------------------------
       User login: idm_user
       Certificate mapping data: X509:<I>O=EXAMPLE.ORG,CN=Smart Card CA<S>CN=test,O=EXAMPLE.ORG

1. Use the sss_cache utility to invalidate the record of idm_user in the SSSD cache and force a reload of the idm_user information:

   # sss_cache -u idm_user

2. Run the ipa certmap-match command with the name of the file containing the certificate of the IdM user:

   # ipa certmap-match idm_user_cert.pem

   --------------
   1 user matched
   --------------
    Domain: IDM.EXAMPLE.COM
    User logins: idm_user
   ----------------------------
   Number of entries returned 1
   ----------------------------

   The output confirms that now you have certificate mapping data added to idm_user and that a corresponding mapping rule exists. This means that you can use any certificate that matches the defined certificate mapping data to authenticate as idm_user.