attachment 0001-Add-LDAP-cert-publisher-using-LDAP-auth-DN.patch
Thank you for submitting the patch. Could you elaborate on the purpose and usage cases for your new mapper? Did you check if any of the existing mappers could provide similar functionality? Did you check if any of the existing mappers can be extended to include new functionality? Thank you, Andrew.
Hello Andrew,
You're welcome. The main reason this mapper was implemented was due to the unfortunate legacy requirements our environment had at the time we switched to Dogtag. The user certificate DN is created with values from LDAP (based off of the authenticating user) and is something like CN=$UID,OU=Foo,...,C=US. After attempting to use the existing mappers, I found no good way to lookup the original LDAP DN from the certificate DN. When I went poking around the internal DB I immediately noticed that the authenticating DN was saved providing a trivial map back to the entry to insert the userCertificate into.
I didn't feel that this functionality belonged in an existing mapper, but I am also no Dogtag expert and would defer to your judgment. I do feel the usefulness of this mapper (trivial LDAP publishing if using LDAP authentication) extends beyond our somewhat convoluted needs even though in simpler environments other mappers would also meet customer needs.
Thanks,
Josh
Hi Josh, Just to be absolutely clear could you provide a detailed example of what mapping should do in your case? Thank you, Andrew
Unfortunately not all of the mappers are documented but most of them are described here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Mapper_Plug_in_Modules_.html
DNCompsMap doesn't work for us due to the CN=$UID ugliness we do, SubjAttrMap would have added to account creation overhead, and SimpleMap IIRC required key=value which meant I couldn't specify the authenticated LDAP DN as the dnPattern (e.g. dnPattern:$req.authenticatedName or similar has no "key" before replacement). I seem to remember trying a few more complex patterns with SimpleMap and having issues possibly related to our OU hierarchy. In any event, the most likely existing mapper to work for us would be the SubjAttrMap. We simply chose a solution that required no extra overhead on our part.
Hi Josh, I just noticed that some mapping options are referring to an older type of CA requests and I wonder if that played a role in inability to use existing mappers. Thank you, Andrew. (https://fedorahosted.org/pki/ticket/417)
Metadata Update from @vakwetu: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/781
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.