From: Emmanuel N. de L. F. <emm...@se...> - 2015-04-27 13:32:31
|
Hi guys, sorry if my english sucks! I want your help to find out what I am doing wrong using smartcard login with ldap map. 1) My openldap server has an attribute named cryptPassword I use to login 2) My certificate has an attribute named CPF I want to use as login Using token watchdata, ubuntu 14.04 amd64, libpam-pkcs11 0.6.8-4 amd64 I try to do <b>~$ openssl verify -CApath /etc/pam_pkcs11/cacerts </b> but it gives me no response. ~$ pkcs11_inspect DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so] DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so DEBUG:pkcs11_lib.c:1009: getting function list DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1106: module information: DEBUG:pkcs11_lib.c:1107: - version: 2.10 DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData DEBUG:pkcs11_lib.c:1109: - flags: 0000 DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module DEBUG:pkcs11_lib.c:1111: - library version: 1.0 DEBUG:pkcs11_lib.c:1118: number of slots (a): 1 DEBUG:pkcs11_lib.c:1141: number of slots (b): 1 DEBUG:pkcs11_lib.c:1037: slot 1: DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0 DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: eferro DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp. DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y DEBUG:pkcs11_lib.c:1061: - flags: 060d DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1 PIN for token: DEBUG:pkcs11_lib.c:1383: login as user CKU_USER DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 28 DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:847: test ssltls = tls DEBUG:ldap_mapper.c:849: LDAP mapper started. DEBUG:ldap_mapper.c:850: debug = 1 DEBUG:ldap_mapper.c:851: ignorecase = 0 DEBUG:ldap_mapper.c:852: ldaphost = my-ldap-addr DEBUG:ldap_mapper.c:853: ldapport = 389 DEBUG:ldap_mapper.c:854: ldapURI = my-ldap-addr my-ldap-addr2 DEBUG:ldap_mapper.c:855: scope = 2 DEBUG:ldap_mapper.c:856: binddn = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br DEBUG:ldap_mapper.c:857: passwd = estacao@rlsl DEBUG:ldap_mapper.c:858: base = dc=company,dc=gov,dc=br DEBUG:ldap_mapper.c:859: attribute = userCertificate DEBUG:ldap_mapper.c:860: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:861: searchtimeout = 20 DEBUG:ldap_mapper.c:862: ssl_on = 2 DEBUG:ldap_mapper.c:864: tls_randfile = DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt DEBUG:ldap_mapper.c:866: tls_cacertdir = DEBUG:ldap_mapper.c:867: tls_checkpeer = 0 DEBUG:ldap_mapper.c:868: tls_ciphers = DEBUG:ldap_mapper.c:869: tls_cert = DEBUG:ldap_mapper.c:870: tls_key = DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list DEBUG:pkcs11_inspect.c:126: Found '1' certificate(s) DEBUG:pkcs11_inspect.c:130: verifying the certificate #1 DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:450: certificate is valid DEBUG:cert_vfy.c:207: crl policy: 0 DEBUG:cert_vfy.c:210: no revocation-check performed DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1 Printing data for mapper ldap: -----BEGIN CERTIFICATE----- MIIHVzCCBT+gAwIBAgIDEsMCMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJC UjETMBEGA1UEChMKSUNQLUJyYXNpbDEPMA0GA1UECxMGQ1NQQi0xMTswOQYDVQQL EzJTZXJ2aWNvIEZlZGVyYWwgZGUgUHJvY2Vzc2FtZW50byBkZSBEYWRvcyAtIFNF UlBSTzE0MDIGA1UEAxMrQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBS TyBGaW5hbCB2NDAeFw0xNDExMjYxOTE3MzZaFw0xNzExMjUxOTE3MzZaMIGnMQsw CQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEZMBcGA1UECxMQUGVzc29h IEZpc2ljYSBBMzERMA8GA1UECxMIQVJTRVJQUk8xKzApBgNVBAsTIkF1dG9yaWRh ZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxKDAmBgNVBAMTH0VNTUFOVUVMIE5B WkFSRU5PIERFIExJTUEgRkVSUk8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCR3zXAdudH3f9ink4EvkVZmvNwp912HlmW9GIh8EiBX1LNmb0RT54X8/Sw W+vaj/udVN+J2mwYQLrZ6n88SbU1/suDqjjjkCV6EkeQ87TUyQ6qUblhbD63kJEa C3AXVQsdPCivD7KDMaqC6CK8SzZzXplFsP/EoYsc1JFZcBFll+S+Ila310tsRO8i xXouUqBPurPeJs65bYt9Y3ZcrS/3zIImYkpZ8Qy1cyD0PG4x63CfHpZ22iyk/RAW nYuDXsiujlLJnS9qNtO/ZKjBIX/GAhPQTtbsxncP7M3+I0UXPrmE+GaLuAzrsyoW fokShglZ/MOkMreS8L/m4BVvDwh5AgMBAAGjggKJMIIChTAfBgNVHSMEGDAWgBRk 22dbs5UXUoSJtO9nILAIiXwHcTAOBgNVHQ8BAf8EBAMCBeAwWQYDVR0gBFIwUDBO BgZgTAECAw0wRDBCBggrBgEFBQcCARY2aHR0cDovL3JlcG9zaXRvcmlvLnNlcnBy by5nb3YuYnIvZG9jcy9kcGNzZXJwcm9hY2YucGRmMIHRBgNVHR8EgckwgcYwPKA6 oDiGNmh0dHA6Ly9yZXBvc2l0b3Jpby5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnBy b2FjZnY0LmNybDA+oDygOoY4aHR0cDovL2NlcnRpZmljYWRvczIuc2VycHJvLmdv di5ici9sY3IvYWNzZXJwcm9hY2Z2NC5jcmwwRqBEoEKGQGh0dHA6Ly9yZXBvc2l0 b3Jpby5pY3BicmFzaWwuZ292LmJyL2xjci9zZXJwcm8vYWNzZXJwcm9hY2Z2NC5j cmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpodHRwOi8vcmVwb3NpdG9y aW8uc2VycHJvLmdvdi5ici9jYWRlaWFzL2Fjc2VycHJvYWNmdjQucDdiMIGrBgNV HREEgaMwgaCgPQYFYEwBAwGgNAQyMjUwMzE5NzAyMzE5OTE1NjMwNDE4MDAwMjY5 OTkxMDAwMDAxMDE4NjgyOTg1U1NQTUGgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAw oCgGBWBMAQMFoB8EHTAyOTk5ODA4MDc1MjA4ODAxNzBTQU8gTFVJU01BgRxlbW1h bnVlbC5mZXJyb0BzZXJwcm8uZ292LmJyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAfkATOsGd4grAh8vruyJK38tVVPvU NDQu8yoqutJYkWI8NWrlQIdcKLLmrgQpVK10ri8z4geLRjmuSdb9FNOhKgwvOMz3 5R+oVlfxuFFuI++03MM+Q3CmxF6ifgeGxVqi9TB97Unw3PusdPqiiPph7qG+Zhtr pbcgBJ8EmioT4W8r8Idfh0PcTGPywpTGZKGxT6vA0/ztCcJWo/wrAXu8ilXuarUv mUCXegk95+Ca3Z5tAuvNGtnWjUjdVz19gyTa4H2cM8pkT98R4l8PgXXu3qVd4SAn a/LwlH6VjzUgWTv9rUTkIozJaMKx/v0vS7EUZR4Gsenq8r/L5XEKUlnk8keN62eU 7an8oUofAUNhS50qbMmcf1nB4euTd4X3dVW8urAdXoR10xUj0ADxPZ7P+O15kzg8 zkJU0UvGj57prna8u2bHMOqmaAX88zzBrflgu63EdBk3lD4lN1h0nylSGIMsXOQ/ l516VKforHnUwwgPs43NFP/6j7gvUOn3wKT4UsDgUBJ0pUFvX14Pnk229kI+G1lD IzeFZbS4er6AZpXMJx3I1gLOCfB8MLF/3/+ofp+y5/Ptflyk8HgHueBEOuZKiKxC /sH+x3P5Kr/iGqBGnbsHw4ukO3oNJUOY62OQJynRWZuhs54rnTlzzUlgRtWsBQtX 9GY+ttfIpZgFnpc= -----END CERTIFICATE----- DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pkcs11_lib.c:1443: logout user DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1456: releasing keys and certificates DEBUG:pkcs11_inspect.c:161: releasing pkcs #11 module... DEBUG:pkcs11_inspect.c:164: Process completed -------------------------------------------------------------------------- ~$ pkcs11_listcerts DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so] DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so DEBUG:pkcs11_lib.c:1009: getting function list DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1106: module information: DEBUG:pkcs11_lib.c:1107: - version: 2.10 DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData DEBUG:pkcs11_lib.c:1109: - flags: 0000 DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module DEBUG:pkcs11_lib.c:1111: - library version: 1.0 DEBUG:pkcs11_lib.c:1118: number of slots (a): 1 DEBUG:pkcs11_lib.c:1141: number of slots (b): 1 DEBUG:pkcs11_lib.c:1037: slot 1: DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0 DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: eferro DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp. DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y DEBUG:pkcs11_lib.c:1061: - flags: 060d DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1 PIN for token: DEBUG:pkcs11_lib.c:1383: login as user CKU_USER DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 28 DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token Found '1' certificate(s) Certificate #1: - Subject: /C=BR/O=ICP-Brasil/OU=Pessoa Fisica A3/OU=ARcompany/OU=Autoridade Certificadora companyACF/CN=EMMANUEL FERRO - Issuer: /C=BR/O=ICP-Brasil/OU=CSPB-1/OU=Servico Federal de Processamento de Dados - company/CN=Autoridade Certificadora do company Final v4 - Algorithm: rsaEncryption DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:450: certificate is valid DEBUG:cert_vfy.c:207: crl policy: 0 DEBUG:cert_vfy.c:210: no revocation-check performed DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_lib.c:1443: logout user DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1456: releasing keys and certificates DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module... DEBUG:pkcs11_listcerts.c:160: Process completed -------------------------------------------------------------------------- :~$ sudo login 22222222222 Smartcard authentication starts DEBUG:pam_pkcs11.c:308: username = [22222222222] DEBUG:pam_pkcs11.c:319: loading pkcs #11 module... DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so] DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so DEBUG:pkcs11_lib.c:1009: getting function list DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1106: module information: DEBUG:pkcs11_lib.c:1107: - version: 2.10 DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData DEBUG:pkcs11_lib.c:1109: - flags: 0000 DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module DEBUG:pkcs11_lib.c:1111: - library version: 1.0 DEBUG:pkcs11_lib.c:1118: number of slots (a): 1 DEBUG:pkcs11_lib.c:1141: number of slots (b): 1 DEBUG:pkcs11_lib.c:1037: slot 1: DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0 DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: eferro DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp. DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y DEBUG:pkcs11_lib.c:1061: - flags: 060d Token found. DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1 Welcome eferro! Token PIN: DEBUG:pkcs11_lib.c:1383: login as user CKU_USER DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 28 DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap' DEBUG:ldap_mapper.c:847: test ssltls = tls DEBUG:ldap_mapper.c:849: LDAP mapper started. DEBUG:ldap_mapper.c:850: debug = 1 DEBUG:ldap_mapper.c:851: ignorecase = 0 DEBUG:ldap_mapper.c:852: ldaphost = my-ldap-addr DEBUG:ldap_mapper.c:853: ldapport = 389 DEBUG:ldap_mapper.c:854: ldapURI = my-ldap-addr my-ldap-addr2 DEBUG:ldap_mapper.c:855: scope = 2 DEBUG:ldap_mapper.c:856: binddn = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br DEBUG:ldap_mapper.c:857: passwd = mypass DEBUG:ldap_mapper.c:858: base = dc=company,dc=gov,dc=br DEBUG:ldap_mapper.c:859: attribute = userCertificate DEBUG:ldap_mapper.c:860: filter = (&(objectClass=posixAccount)(uid=%s)) DEBUG:ldap_mapper.c:861: searchtimeout = 20 DEBUG:ldap_mapper.c:862: ssl_on = 2 DEBUG:ldap_mapper.c:864: tls_randfile = DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt DEBUG:ldap_mapper.c:866: tls_cacertdir = DEBUG:ldap_mapper.c:867: tls_checkpeer = 0 DEBUG:ldap_mapper.c:868: tls_ciphers = DEBUG:ldap_mapper.c:869: tls_cert = DEBUG:ldap_mapper.c:870: tls_key = DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list DEBUG:pam_pkcs11.c:551: verifying the certificate #1 verifying certificate DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:450: certificate is valid DEBUG:cert_vfy.c:207: crl policy: 0 DEBUG:cert_vfy.c:210: no revocation-check performed DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:ldap_mapper.c:618: ldap_get_certificate(): begin login = 22222222222 DEBUG:ldap_mapper.c:623: ldap_get_certificate(): filter_str = (&(objectClass=posixAccount)(uid=22222222222)) DEBUG:ldap_mapper.c:581: added URI my-ldap-addr DEBUG:ldap_mapper.c:581: added URI my-ldap-addr2 DEBUG:ldap_mapper.c:581: added URI ldap://my-ldap-addr:389 DEBUG:ldap_mapper.c:682: ldap_get_certificate(): try do_open for my-ldap-addr DEBUG:ldap_mapper.c:144: do_init(): DEBUG:ldap_mapper.c:393: do_open(): do_init failed DEBUG:ldap_mapper.c:696: ldap_get_certificate(): do_open failed DEBUG:ldap_mapper.c:892: ldap_get_certificate() failed DEBUG:mapper_mgr.c:306: Mapper module ldap match() returns 0 DEBUG:pam_pkcs11.c:634: certificate is valid but does not match the user ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found Error 2336: No matching certificate found DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap DEBUG:mapper_mgr.c:145: unloading module ldap DEBUG:pkcs11_lib.c:1443: logout user DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session DEBUG:pkcs11_lib.c:1456: releasing keys and certificates Login incorrect Smartcard authentication starts DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf Please insert your Token or enter your username. -------------------------------------------------------------------------- :~$ sudo vim /etc/pam_pkcs11/pam_pkcs11.conf -------------------------------------------------------------------------- pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = true; ##false; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = true; ##false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = wdtoken; [...] # WatchData pkcs11_module wdtoken { module = "/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so"; description = "Watchdata token"; slot_num = 0; support_threads = true; ca_dir = "/etc/pam_pkcs11/cacerts"; cert_policy = ca, signature; token_type = Token; } [...] use_mappers = ldap; [...] mapper ldap { debug = true; module = "/lib/pam_pkcs11/ldap_mapper.so"; ldaphost = "my.ldap.addr"; ldapport = 389; URI = "my.ldap.addr my.ldap.addr2"; scope = 2; binddn = "uid=workstation,ou=serv,ou=corp,dc=company,dc=gov,dc=br"; passwd = "mypass"; base = "dc=company,dc=gov,dc=br"; attribute = userCertificate; filter = "(&(objectClass=posixAccount)(uid=%s))"; ssl = tls; tls_cacertfile = "/etc/ssl/certs/389-ca.crt"; tls_checkpeer = 0; } } - "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco." "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." |