Authentication with a SmartCard may fail when the SmartCard certificate is not linked to any IdM user, or to a user different from the one specified on the console.
In order to find which user is associated to a given SmartCard certificate, you can run the following command:
ipaclient$ ipa certmap-match cert.pem -------------- 1 user matched -------------- Domain: IPADOMAIN.COM User logins: demosc1 ---------------------------- Number of entries returned 1 ----------------------------
If the result is not what you were expecting, you need first to check how certificates are mapped to users.
By default, a certificate is associated to a user when the user entry contains the full certificate in its usercertificate attribute. But this behavior can be modified by defining certificate mapping rules:
ipaclient$ ipa certmaprule-find ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: rulesmartcard Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn}<S>{subject_dn}) Matching rule: <ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG Enabled: FALSE ---------------------------- Number of entries returned 1 ----------------------------
Mapping with full certificate content
When the mapping is based on the full certificate content, you can check if the user entry contains the certificate:
root@ipaclient$ ipa user-show demosc1 User login: demosc1 [...] Certificate: MIIC...
If it is not the case, associate the certificate with the user entry using:
ipaclient$ CERT=`cat cert.pem | tail -n +2 | head -n -1 | tr -d '\r\n'` ipaclient$ ipa user-add-cert demosc1 --certificate $CERT
Once this is done, you may need to clear sssd cache to force SSSD to reload the entries before retrying ipa certmap-match:
ipaclient$ sudo sss_cache -E
Flexible mapping with certificate identity mapping rule
When the mapping is based on certificate mapping rules, the same tool ipa certmap-match can be used to check which user entry is associated to a certificate. When the result is not what you expect, you can enable sssd domain logs by adding the following in /etc/sssd/sssd.conf on IdM master:
[domain/ipadomain.com] ... debug_level = 9
then restart sssd with
root@ipaserver$ systemctl restart sssd
The logs will be located in /var/log/sssd/sssd_ipadomain.log.
Check that the certificate identity mapping rules are properly loaded
When sssd is restarted, it reads the mapping rules and should print the following in /var/log/sssd/sssd_ipadomain.log:
[sssd[be[ipadomain.com]]] [sss_certmap_init] (0x0040): sss_certmap initialized. [sssd[be[ipadomain.com]]] [ipa_certmap_parse_results] (0x4000): Trying to add rule [rulesmartcard][-1][<ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG][(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})].
If the rule has an invalid syntax, you will see instead:
[sssd[be[ipadomain.com]]] [sss_certmap_init] (0x0040): sss_certmap initialized. [sssd[be[ipadomain.com]]] [ipa_certmap_parse_results] (0x4000): Trying to add rule [rulesmartcard][-1][<ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG][(ipacertmapdata=X509:<I>{issuer_dn!x509}<S>{subject_dn})]. [sssd[be[ipadomain.com]]] [parse_template] (0x0040): Parse template invalid. [sssd[be[ipadomain.com]]] [parse_ldap_mapping_rule] (0x0040): Failed to add template. [sssd[be[ipadomain.com]]] [parse_mapping_rule] (0x0040): Failed to parse LDAP mapping rule. [sssd[be[ipadomain.com]]] [ipa_certmap_parse_results] (0x0020): sss_certmap_add_rule failed for rule [rulesmartcard], skipping. Please check for typos and if rule syntax is supported. [sssd[be[ipadomain.com]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse certmap results [22]: Invalid argument [sssd[be[ipadomain.com]]] [ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate mapping rules [22]: Invalid argument
The log shows that the rule named rulesmartcard is invalid. Check the rule (see man page for sss-certmap for the supported syntax) and fix if needed:
ipaclient$ ipa certmaprule-show rulesmartcard Rule name: rulesmartcard Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!x509}<S>{subject_dn}) Matching rule: <ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG Enabled: TRUE ipaclient$ ipa certmaprule-mod rulesmartcard --maprule '(ipacertmapdata=X509:<I>{issuer_dn}<S>{subject_dn})'
Check that the matching rule corresponds to the certificate
When SSSD tries to associate the certificate to a user, it starts by finding which rule can be applied based on the matching rule (for instance rulesmartcard applies to all certificates issued by CN=Smart Card CA,O=EXAMPLE.ORG because its matching rule is <ISSUER>CN=Smart Card CA,O=EXAMPLE.ORG).
If no matching rule applies to the certificate, SSSD will not be able to associate the certificate with a user, and will display the following in /var/log/sssd/sssd_ipadomain.log:
[sssd[be[ipadomain.com]]] [sss_cert_derb64_to_ldap_filter] (0x0040): Certificate does not match matching-rules.
In this case, you need to create or modify an identity mapping rule, so that the match rule applies to your certificate. See sss-certmap man page for the supported syntax of the –matchrule option of ipa certmaprule-add command.
Check that the expected certificate identity mapping rule is used
When SSSD tries to find the user associated to the certificate, you will see the following logs in /var/log/sssd/sssd_ipadomain.log:
[sssd[be[ipadomain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=MII..] ... [sssd[be[ipadomain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=ipadomain,dc=com] [sssd[be[ipadomain.com]]] [sdap_print_server] (0x2000): Searching 10.34.58.20:389 [sssd[be[ipadomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>O=EXAMPLE.ORG,CN=Smart Card CA<S>CN=test,O=EXAMPLE.ORG)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipadomain,dc=com]. ... [sssd[be[ipadomain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
The logs show the LDAP search performed by SSSD: IP address of the LDAP server, base and search filter. Carefully review this information and compare with what you would expect.
Check that the mapping rule defines a valid search filter
If the rule cannot be transformed to a valid search filter, you will see in /var/log/sssd/sssd_ipadomain.log:
[sssd[be[ipadomain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(ipacertmapdata=X509:<I>O=EXAMPLE.ORG,CN=Smart Card CA<S>CN=test,O=EXAMPLE.ORG(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=ipadomain,dc=com]. [...] [sssd[be[ipadomain.com]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter
If it is the case, you need to fix the certmap rule using
ipaclient$ ipa certmaprule-mod rulesmartcard –maprule …