Tania Hagan via FreeIPA-users wrote: > Hi Rob, > > As a company we turn off anonymous bind for security reasons, but have a > number of sysaccounts that are used in scripts to bind as that bind user and > complete an ldapsearch (e.g get list of users, get monitoring metrics). We > also have systems such as phabricator that require a sysaccount to connect to > freeipa for user login. > > At the moment the search and binds are completed using user and password, but > we'd like to move away from having to store the password anywhere and instead > use certificates ideally provided by the freeipa server. > > Hope this makes more sense.
It does, thanks. I think all the capabilities are there but you'd have to figure out how to put all the pieces together. This isn't something we're working on. IPA can issue user certificates but you'd need to create a certificate profile for it. There is some relevant discussion at https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html . Note that this creates a signing cert and not a user cert, so you'd have to tweak other things, but it goes over the basics. The same blog may have additional pointers but this is the main one I found. We did some design work about user certificates but never implemented it all. Read this with that in mind as not everything was implemented, https://www.freeipa.org/page/V4/User_Certificates . I can see my own fingerprints on it, particularly with my common typos, but I honestly pushed all of this out of my brain long ago. As mentioned earlier, you'd need to manually add a new objectclass to your sysaccount user and also set a uid for certificate matching. And you'd be on the hook for managing renewal of the user certificate(s). The final step is related to certificate mapping which maps a cert subject to an entry (not to be confused with SSSD certificate mapping). This is managed by /etc/dirsrv/slapd-EXAMPLE-TEST/certmap.conf. I believe that the out-of-the-box configuration should work fine if the sysaccount user has a uid that matches the uid in the cert subject. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
