We have some profiles setup for LDAP based auth and authz. These work great in the browser. It would be neat if these also worked from the pki cli utility.
Example:
pki -v -C ~/.pki.password -U 'https://ca01.pki.dev.int.devlab.redhat.com:8443/ca' client-cert-request CN=test1 --profile=caDirUserCert
You'd probably need new parameters for username and password.
Right now the pki cli can only do basic auth or cert based auth. We could enable profiles that do cert based auth in addition to our ldap based auth profiles but this still presents a single chicken and egg problem. If people wanted a quick automated CLI only environment. -- They would have to use a browser to get their client cert issued immediately using LDAP auth, or submit a client cert auth request from the CLI that requires agent approval and wait. Once they got their client cert they could then use that cert from the CLI to do the rest of their requests using cert based auth.
Having the pki command support passing dir based auth would be an awesome addition that would fix the above things.
Per CS/DS Meeting of 07/06/2015: 10.3 (critical)
From PKI TRAC #904 Unable to specify ldap username & password in xml request for UserDirEnrollment profile which was closed as a duplicate of this ticket:
After Enabling UserDirEnrollment Authentication Plugin , There is no xml tag to specify username and password in the xml request for caDirUserCert profile
Versions:
pki-ca-10.2.0-0.1.20140311T0344zgitb944d31.fc20.noarch pki-tools-10.2.0-0.1.20140311T0344zgitb944d31.fc20.x86_64
Downlad the profile xml using the below command
$ pki -d /opt/rhqa_pki/certs_db -n "PKI Administrator for lab.eng.pnq.redhat.com" -c redhat123 ca-cert-request-profile-show caDirUserCert --output caDirUserCert.xml
Edit caDirUserCert.xml , i see the below details:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <ProfileID>caDirUserCert</ProfileID> <Renewal>false</Renewal> <SerialNumber></SerialNumber> <RemoteHost></RemoteHost> <RemoteAddress></RemoteAddress> <Input id="i1"> <ClassID>keyGenInputImpl</ClassID> <Name>Key Generation</Name> <Attribute name="cert_request_type"> <Value></Value> <Descriptor> <Syntax>keygen_request_type</Syntax> <Description>Key Generation Request Type</Description> </Descriptor> </Attribute> <Attribute name="cert_request"> <Value></Value> <Descriptor> <Syntax>keygen_request</Syntax> <Description>Key Generation Request</Description> </Descriptor> </Attribute> </Input> </CertEnrollmentRequest>
How do we specify the ldap username and password from the ldapbasedn configured for UserDirEnrollment?
Per CS/DS Meeting of 09/14/2015, moving back to 10.2.7 to be addressed sooner.
Documentation: http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles
Fixed in master:
Cherry-picked re-based patches from DOGTAG_10_2_RHEL_BRANCH into DOGTAG_10_2_6_BRANCH:
Cherry-picked re-based patches from DOGTAG_10_2_RHEL_BRANCH into DOGTAG_10_2_BRANCH:
Additional changes in master:
Replying to [comment:9 edewata]:
Additional changes in master: * 3292de07ed01f6230de34120bf9cd1b8d164610a
Cherry-picked this patch to the following branches:
DOGTAG_10_2_BRANCH
DOGTAG_10_2_6_BRANCH
DOGTAG_10_2_RHEL_BRANCH
Metadata Update from @dminnich: - Issue assigned to edewata - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2022
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.