Bug 3069 - tl-ldap-certalias or similar for AD environments
Summary: tl-ldap-certalias or similar for AD environments
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Target Milestone: 4.1.1
Assignee: Henrik Andersson
Keywords: hean01_tester, ossman_tester, relnotes
Depends on:
Reported: 2009-04-02 13:30 CEST by Peter Åstrand
Modified: 2013-10-28 11:01 CET (History)
0 users

See Also:
Acceptance Criteria:


Description Peter Åstrand cendio 2009-04-02 13:30:25 CEST
We might want to adapt tl-nds-certalias, or create a similar script, for AD-based smart card environments, rather then eDirectories.
Comment 1 Pierre Ossman cendio 2010-11-02 14:37:56 CET
We've investigated this a bit more and determined a suitable course of action.

Smart cards in the Microsoft world require that the certificates on the cards have a special attribute that specify the user and AD realm. In regards to SITHS, that leaves two options:

1. Make sure the HCC includes the necessary Microsoft fields.
2. Add an extra certificate to the card that will only be used for AD authentication.

Until we have proper PKI support (bug 2739), we can only easily support model 1 as that's the only one that retains the public key in a database for us to access.

The proposed architecture is to fetch everything from HSA, which is a LDAP directory containing all user attributes as well as the certificates themselves. We will extract the public key from the certificate and the username from the special Microsoft fields.

Since we cannot rely on certificates disappearing from HSA when they are revoked, we also need to pay attention to expiration dates and revocation lists. We probably won't need OCSP support right now, but can rely on the CRL downloaded via HTTP. We probably need to write proper cache management though to avoid torturing the CRL server too much.
Comment 2 Henrik Andersson cendio 2013-08-08 13:58:43 CEST
Using 4.1.0 and tl-ldap-certalias with AD 2008R2 fails, but after some investigation there seems to be a pretty easy fix to the problem.
tl-ldap-certalias has an undocumented configuration option which is not distributed with our tl-ldap-certalias.hconf which is named filter. This is used to filter out user objects with classtypes posixAccount however AD doesnt have this class type but the required attributes in its default schema so if i set filter to (&(objectclass=user)(uidNumber=*)) it works as expected.
Comment 3 Henrik Andersson cendio 2013-09-30 12:45:34 CEST
Commit 27979 implements ldap_schema configuration to tl-ldap-certalias.hconf which specifies what schema the target LDAP server is using.

I derived the meaning of ldap_schema meaning from sss-ldap and our supported values are rfc2307 and AD.
Comment 4 Henrik Andersson cendio 2013-09-30 13:55:10 CEST
Commit 27980, updates the TAG with information about ldap_schema and iis use.
Comment 5 Henrik Andersson cendio 2013-10-24 16:23:26 CEST
Testing tl-ldap-certalias against Active Directory at customers site.

I stumbled upon a ldap iterator issue at the customers site, enumerated users included a user object without proper attributes. See bug #4871 for more information. I temporarly added a check to overcome this problem to continue testing.

At the customers site I found they had several certificates per user and authorized_keys was populated with everything available, I created bug #4872 about that issue.
Comment 6 Henrik Andersson cendio 2013-10-28 11:01:04 CET
This works as expected as tested at customers site using the new tl-ldap-certalias.

Note You need to log in before you can comment on or make changes to this bug.