Back in the day when I first started playing around with GNU Linux my mentor introduced me to something called OpenLDAP. OpenLDAP is an Open Source equivalent to the Microsoft Active Directory. Both are based on using Lightweight Directory Access Protocol (LDAP) and they are not the solutions to implement it. There is also the Novell Directory Services (NDS) for example. The key difference between all of them is called a schema. Which is in what way the information is organized.
In most cases the information that it holds is account information. For example, username, real name, user groups, and etc. If we fast forward to the now, things have evolved to the point where more than just user information is stored. In systems like Red Hat Enterprise Linux’s (RHEL) Identity Manager (IDM) you have things like vaults. Vaults are encrypted containers that are stored in LDAP. But enough with the introduction to LDAP and the RHEL re-labeled FreeIPA system referred to as the IDM. Some people may have the recurring issue that I had of an IPA/IDM client completely locking out when a RHEL Gnome Desktop Manager (GDM) GUI screen locks due to things like inactivity, smartcard removal, and manual screen lock.
If you ever notice that after installing an IPA server and client that you login into using an X.509 smartcard starts to fail to unlock after a screen lock. You should check the ability for the client to OCSP validation. In a current setup that I’m implementing at work I came across this issue that would have completely killed the practical implementation. Why? If the user’s could not login to RHEL GDM Workstations then it would make their systems defined as inoperable. I did create an escalated ticket with Red Hat to look into the issue with a lot of logs in the time frame of the failures and SOS reports. I’d like to tip my hat to Sumit Bose and Amit Kumar for excellent support, guidance, and understanding. Which directed me to a solution that seems to have resolved the problem. Apparently, RHEL needs to address the more user-based end of development. While the workstation IPA client did respond as expected over ssh, it did have issues with SSSD, PAM, and GDM interaction. And making the SSSD debug log output more informative wouldn’t hurt. The solution to the issue so to simply tell SSSD not to do OCSP certificate verification. In my environment, the outgoing traffic is restricted to be user-based authentication to the proxy. The proxy is intended for Microsoft systems, so it only does NTLM authentication and service accounts isn’t accepted. So without system level proxy setup using user credentials the system wasn’t able to do OCSP validation. This was discovered when doing an `strace` of the `kinit` command below where it stated that it was trying to connect to the OCSP server stated in the x.509 cert on the smartcard. The fix is stated below.
$ strace /usr/bin/kinit -X X509_user_identity=PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so IPA-username
Look for a “connect” line with the IP address of the server stated in your certificate’s OCSP URI.
In /etc/sssd/sssd.conf add the following and keep in mind white space does matter.
[sssd]
certificate_verification = no_ocsp
If you still encounter some issues you may need to add the following timeout lines to the sssd.conf file as well
[domain/your-domain.com]
krb5_auth_timeout = 30
[pam]
p11_child_timeout = 30
