[Pki-devel] [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch

John Magne jmagne at redhat.com
Fri Aug 19 23:14:09 UTC 2016 

Verbal cond ACK from CFU:


Minor issue taken care of:

commit e5ef4374eae5219a8b5e9a216c1c2ed77fb3e709
Author: Jack Magne <jmagne at dhcp-16-206.sjc.redhat.com>
Date:   Tue Aug 16 16:58:49 2016 -0700

    Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working.

Pushed to master, closing ticket #1578



----- Original Message -----
> From: "John Magne" <jmagne at redhat.com>
> To: "pki-devel" <pki-devel at redhat.com>
> Sent: Tuesday, August 16, 2016 5:15:49 PM
> Subject: [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch
> 
> [PATCH] Authentication Instance Id PinDirEnrollment with authType
>  value as SslclientAuth is not working.
> 
> Ticket #1578
> 
> The fixing of this problem required the following:
> 
> 1. Hook up a java callback that is designed to allow the selection of a
> candidate
> client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
> 
> Previously we simply manually set the desired client auth cert nickname,
> which is provided
> by the console interface when cofiguring the "removePin" portion of the
> UidPinDir Authentication method.
> 
> Doing it this way has the benefit of giving us some logging to show when the
> actual client auth cert is being
> requested by the server. We get to see the list of candidate certs and when
> we match one of those with the requested
> cert name, established by the console.
> 
> This client auth problem applies ONLY to the connection pool that is used to
> remove the pin attribute from
> an external authentication directory.
> 
> 2. Previously the code, when setting up client auth for "removePin", would
> make one single call to create the SSL socket
> to connect to ldap over client auth. Now, based on some code I saw in the JSS
> test suite, the socket is constructed in two
> steps. Doing this causes things to work. Further investigation down the line
> could figure out what is going on at the lower level.
> 
> 3. Was able to test this to work with the reported problem directory server
> provided by QE. Note: for pin removal to work, we must also
> make sure that the user we authenticating to (through client auth) has the
> power to actually remove the pin attribute from various users.
>

More information about the Pki-devel mailing list