ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found

eferro
Hi guys, sorry if my english sucks!

I want your help to find out what I am doing wrong using smartcard login with ldap map.

1) My openldap server has an attribute named cryptPassword I use to login
2) My certificate has an attribute named CPF I want to use as login

Using token watchdata, ubuntu 14.04 amd64, libpam-pkcs11 0.6.8-4 amd64

I try to do
<b>~$ openssl verify -CApath /etc/pam_pkcs11/cacerts </b>
but it gives me no response.

~$ pkcs11_inspect
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
PIN for token:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:847: test ssltls = tls
DEBUG:ldap_mapper.c:849: LDAP mapper started.
DEBUG:ldap_mapper.c:850: debug         = 1
DEBUG:ldap_mapper.c:851: ignorecase    = 0
DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
DEBUG:ldap_mapper.c:853: ldapport      = 389
DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
DEBUG:ldap_mapper.c:855: scope         = 2
DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:857: passwd        = estacao@rlsl
DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:859: attribute     = userCertificate
DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:861: searchtimeout = 20
DEBUG:ldap_mapper.c:862: ssl_on        = 2
DEBUG:ldap_mapper.c:864: tls_randfile  =
DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
DEBUG:ldap_mapper.c:866: tls_cacertdir =
DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
DEBUG:ldap_mapper.c:868: tls_ciphers   =
DEBUG:ldap_mapper.c:869: tls_cert      =
DEBUG:ldap_mapper.c:870: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pkcs11_inspect.c:126: Found '1' certificate(s)
DEBUG:pkcs11_inspect.c:130: verifying the certificate #1
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1
Printing data for mapper ldap:
-----BEGIN CERTIFICATE-----
MIIHVzCCBT+gAwIBAgIDEsMCMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJC
UjETMBEGA1UEChMKSUNQLUJyYXNpbDEPMA0GA1UECxMGQ1NQQi0xMTswOQYDVQQL
EzJTZXJ2aWNvIEZlZGVyYWwgZGUgUHJvY2Vzc2FtZW50byBkZSBEYWRvcyAtIFNF
UlBSTzE0MDIGA1UEAxMrQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBS
TyBGaW5hbCB2NDAeFw0xNDExMjYxOTE3MzZaFw0xNzExMjUxOTE3MzZaMIGnMQsw
CQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEZMBcGA1UECxMQUGVzc29h
IEZpc2ljYSBBMzERMA8GA1UECxMIQVJTRVJQUk8xKzApBgNVBAsTIkF1dG9yaWRh
ZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxKDAmBgNVBAMTH0VNTUFOVUVMIE5B
WkFSRU5PIERFIExJTUEgRkVSUk8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCR3zXAdudH3f9ink4EvkVZmvNwp912HlmW9GIh8EiBX1LNmb0RT54X8/Sw
W+vaj/udVN+J2mwYQLrZ6n88SbU1/suDqjjjkCV6EkeQ87TUyQ6qUblhbD63kJEa
C3AXVQsdPCivD7KDMaqC6CK8SzZzXplFsP/EoYsc1JFZcBFll+S+Ila310tsRO8i
xXouUqBPurPeJs65bYt9Y3ZcrS/3zIImYkpZ8Qy1cyD0PG4x63CfHpZ22iyk/RAW
nYuDXsiujlLJnS9qNtO/ZKjBIX/GAhPQTtbsxncP7M3+I0UXPrmE+GaLuAzrsyoW
fokShglZ/MOkMreS8L/m4BVvDwh5AgMBAAGjggKJMIIChTAfBgNVHSMEGDAWgBRk
22dbs5UXUoSJtO9nILAIiXwHcTAOBgNVHQ8BAf8EBAMCBeAwWQYDVR0gBFIwUDBO
BgZgTAECAw0wRDBCBggrBgEFBQcCARY2aHR0cDovL3JlcG9zaXRvcmlvLnNlcnBy
by5nb3YuYnIvZG9jcy9kcGNzZXJwcm9hY2YucGRmMIHRBgNVHR8EgckwgcYwPKA6
oDiGNmh0dHA6Ly9yZXBvc2l0b3Jpby5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnBy
b2FjZnY0LmNybDA+oDygOoY4aHR0cDovL2NlcnRpZmljYWRvczIuc2VycHJvLmdv
di5ici9sY3IvYWNzZXJwcm9hY2Z2NC5jcmwwRqBEoEKGQGh0dHA6Ly9yZXBvc2l0
b3Jpby5pY3BicmFzaWwuZ292LmJyL2xjci9zZXJwcm8vYWNzZXJwcm9hY2Z2NC5j
cmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpodHRwOi8vcmVwb3NpdG9y
aW8uc2VycHJvLmdvdi5ici9jYWRlaWFzL2Fjc2VycHJvYWNmdjQucDdiMIGrBgNV
HREEgaMwgaCgPQYFYEwBAwGgNAQyMjUwMzE5NzAyMzE5OTE1NjMwNDE4MDAwMjY5
OTkxMDAwMDAxMDE4NjgyOTg1U1NQTUGgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAw
oCgGBWBMAQMFoB8EHTAyOTk5ODA4MDc1MjA4ODAxNzBTQU8gTFVJU01BgRxlbW1h
bnVlbC5mZXJyb0BzZXJwcm8uZ292LmJyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAfkATOsGd4grAh8vruyJK38tVVPvU
NDQu8yoqutJYkWI8NWrlQIdcKLLmrgQpVK10ri8z4geLRjmuSdb9FNOhKgwvOMz3
5R+oVlfxuFFuI++03MM+Q3CmxF6ifgeGxVqi9TB97Unw3PusdPqiiPph7qG+Zhtr
pbcgBJ8EmioT4W8r8Idfh0PcTGPywpTGZKGxT6vA0/ztCcJWo/wrAXu8ilXuarUv
mUCXegk95+Ca3Z5tAuvNGtnWjUjdVz19gyTa4H2cM8pkT98R4l8PgXXu3qVd4SAn
a/LwlH6VjzUgWTv9rUTkIozJaMKx/v0vS7EUZR4Gsenq8r/L5XEKUlnk8keN62eU
7an8oUofAUNhS50qbMmcf1nB4euTd4X3dVW8urAdXoR10xUj0ADxPZ7P+O15kzg8
zkJU0UvGj57prna8u2bHMOqmaAX88zzBrflgu63EdBk3lD4lN1h0nylSGIMsXOQ/
l516VKforHnUwwgPs43NFP/6j7gvUOn3wKT4UsDgUBJ0pUFvX14Pnk229kI+G1lD
IzeFZbS4er6AZpXMJx3I1gLOCfB8MLF/3/+ofp+y5/Ptflyk8HgHueBEOuZKiKxC
/sH+x3P5Kr/iGqBGnbsHw4ukO3oNJUOY62OQJynRWZuhs54rnTlzzUlgRtWsBQtX
9GY+ttfIpZgFnpc=
-----END CERTIFICATE-----

DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:pkcs11_inspect.c:161: releasing pkcs #11 module...
DEBUG:pkcs11_inspect.c:164: Process completed

--------------------------------------------------------------------------
~$ pkcs11_listcerts
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
PIN for token:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
Found '1' certificate(s)
Certificate #1:
- Subject:   /C=BR/O=ICP-Brasil/OU=Pessoa Fisica A3/OU=ARcompany/OU=Autoridade Certificadora companyACF/CN=EMMANUEL FERRO
- Issuer:    /C=BR/O=ICP-Brasil/OU=CSPB-1/OU=Servico Federal de Processamento de Dados - company/CN=Autoridade Certificadora do company Final v4
- Algorithm: rsaEncryption
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:160: Process completed

--------------------------------------------------------------------------
:~$ sudo login 22222222222
Smartcard authentication starts
DEBUG:pam_pkcs11.c:308: username = [22222222222]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
DEBUG:pkcs11_lib.c:1009: getting function list
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1106: module information:
DEBUG:pkcs11_lib.c:1107: - version: 2.10
DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
DEBUG:pkcs11_lib.c:1109: - flags: 0000
DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module        
DEBUG:pkcs11_lib.c:1111: - library version: 1.0
DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
DEBUG:pkcs11_lib.c:1037: slot 1:
DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0                              
DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
DEBUG:pkcs11_lib.c:1049: - flags: 0007
DEBUG:pkcs11_lib.c:1051: - token:
DEBUG:pkcs11_lib.c:1057:   - label: eferro
DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.                
DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK     
DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
DEBUG:pkcs11_lib.c:1061:   - flags: 060d
Token found.
DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
Welcome eferro!
Token PIN:
DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1579: - type: 00
DEBUG:pkcs11_lib.c:1580: - id:   28
DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:847: test ssltls = tls
DEBUG:ldap_mapper.c:849: LDAP mapper started.
DEBUG:ldap_mapper.c:850: debug         = 1
DEBUG:ldap_mapper.c:851: ignorecase    = 0
DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
DEBUG:ldap_mapper.c:853: ldapport      = 389
DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
DEBUG:ldap_mapper.c:855: scope         = 2
DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:857: passwd        = mypass
DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
DEBUG:ldap_mapper.c:859: attribute     = userCertificate
DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:861: searchtimeout = 20
DEBUG:ldap_mapper.c:862: ssl_on        = 2
DEBUG:ldap_mapper.c:864: tls_randfile  =
DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
DEBUG:ldap_mapper.c:866: tls_cacertdir =
DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
DEBUG:ldap_mapper.c:868: tls_ciphers   =
DEBUG:ldap_mapper.c:869: tls_cert      =
DEBUG:ldap_mapper.c:870: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
DEBUG:cert_vfy.c:450: certificate is valid
DEBUG:cert_vfy.c:207: crl policy: 0
DEBUG:cert_vfy.c:210: no revocation-check performed
DEBUG:cert_vfy.c:464: certificate has not been revoked
DEBUG:ldap_mapper.c:618: ldap_get_certificate(): begin login = 22222222222
DEBUG:ldap_mapper.c:623: ldap_get_certificate(): filter_str = (&(objectClass=posixAccount)(uid=22222222222))
DEBUG:ldap_mapper.c:581: added URI my-ldap-addr
DEBUG:ldap_mapper.c:581: added URI my-ldap-addr2
DEBUG:ldap_mapper.c:581: added URI ldap://my-ldap-addr:389
DEBUG:ldap_mapper.c:682: ldap_get_certificate(): try do_open for my-ldap-addr
DEBUG:ldap_mapper.c:144: do_init():
DEBUG:ldap_mapper.c:393: do_open(): do_init failed
DEBUG:ldap_mapper.c:696: ldap_get_certificate(): do_open failed
DEBUG:ldap_mapper.c:892: ldap_get_certificate() failed
DEBUG:mapper_mgr.c:306: Mapper module ldap match() returns 0
DEBUG:pam_pkcs11.c:634: certificate is valid but does not match the user
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
DEBUG:pkcs11_lib.c:1443: logout user
DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1456: releasing keys and certificates

Login incorrect
Smartcard authentication starts
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
Please insert your Token or enter your username.

--------------------------------------------------------------------------
:~$ sudo vim /etc/pam_pkcs11/pam_pkcs11.conf
--------------------------------------------------------------------------
pam_pkcs11  {
        # Allow empty passwords
        nullok = true;

        # Enable debugging support.
        debug = true; ##false;

        # Do not prompt the user for the passwords but take them from the
        # PAM_ items instead.
        use_first_pass = false;

        # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
        # is unset.
        try_first_pass = false;

        # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
        # previously set (intended for stacking password modules only).
        use_authtok = true; ##false;

        # Filename of the PKCS #11 module. The default value is "default"
        use_pkcs11_module = wdtoken;

[...]

        # WatchData
        pkcs11_module wdtoken {
                module = "/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so";
                description = "Watchdata token";
                slot_num = 0;
                support_threads = true;
                ca_dir = "/etc/pam_pkcs11/cacerts";
                cert_policy = ca, signature;
                token_type = Token;
        }

[...]

        use_mappers = ldap;

[...]

        mapper ldap {
                debug = true;
                module = "/lib/pam_pkcs11/ldap_mapper.so";
                ldaphost = "my.ldap.addr";
                ldapport = 389;
                URI = "my.ldap.addr my.ldap.addr2";
                scope = 2;
                binddn = "uid=workstation,ou=serv,ou=corp,dc=company,dc=gov,dc=br";
                passwd = "mypass";
                base = "dc=company,dc=gov,dc=br";
                attribute = userCertificate;
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                ssl = tls;
                tls_cacertfile = "/etc/ssl/certs/389-ca.crt";
                tls_checkpeer = 0;
        }
}

-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found

Douglas E Engert
DEBUG:ldap_mapper.c:144: do_init():
DEBUG:ldap_mapper.c:393: do_open(): do_init failed

Not having use the pam_pkcs11, It looks like the LDAP URI is wrong, or it needs ldaps://, rather then ldap://

Try to get ldapsearch to work first.


On 4/27/2015 8:32 AM, Emmanuel Nazareno de Lima Ferro wrote:
> Hi guys, sorry if my english sucks!

Sounds OK to me.

>
> I want your help to find out what I am doing wrong using smartcard login with ldap map.
>
> 1) My openldap server has an attribute named cryptPassword I use to login
> 2) My certificate has an attribute named CPF I want to use as login
>
> Using token watchdata, ubuntu 14.04 amd64, libpam-pkcs11 0.6.8-4 amd64
>
> I try to do
> <b>~$ openssl verify -CApath /etc/pam_pkcs11/cacerts </b>

> but it gives me no response.

You need to give the cert to verify.
It may be expecting it on stdin.

>
> ~$ pkcs11_inspect
> DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057:   - label: eferro
> DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061:   - flags: 060d
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> PIN for token:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id:   28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
> DEBUG:ldap_mapper.c:847: test ssltls = tls
> DEBUG:ldap_mapper.c:849: LDAP mapper started.
> DEBUG:ldap_mapper.c:850: debug         = 1
> DEBUG:ldap_mapper.c:851: ignorecase    = 0
> DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
> DEBUG:ldap_mapper.c:853: ldapport      = 389
> DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
> DEBUG:ldap_mapper.c:855: scope         = 2
> DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:857: passwd        = estacao@rlsl
> DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:859: attribute     = userCertificate
> DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
> DEBUG:ldap_mapper.c:861: searchtimeout = 20
> DEBUG:ldap_mapper.c:862: ssl_on        = 2
> DEBUG:ldap_mapper.c:864: tls_randfile  =
> DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
> DEBUG:ldap_mapper.c:866: tls_cacertdir =
> DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
> DEBUG:ldap_mapper.c:868: tls_ciphers   =
> DEBUG:ldap_mapper.c:869: tls_cert      =
> DEBUG:ldap_mapper.c:870: tls_key       =
> DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
> DEBUG:pkcs11_inspect.c:126: Found '1' certificate(s)
> DEBUG:pkcs11_inspect.c:130: verifying the certificate #1
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1
> Printing data for mapper ldap:
> -----BEGIN CERTIFICATE-----
> MIIHVzCCBT+gAwIBAgIDEsMCMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJC
> UjETMBEGA1UEChMKSUNQLUJyYXNpbDEPMA0GA1UECxMGQ1NQQi0xMTswOQYDVQQL
> EzJTZXJ2aWNvIEZlZGVyYWwgZGUgUHJvY2Vzc2FtZW50byBkZSBEYWRvcyAtIFNF
> UlBSTzE0MDIGA1UEAxMrQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBS
> TyBGaW5hbCB2NDAeFw0xNDExMjYxOTE3MzZaFw0xNzExMjUxOTE3MzZaMIGnMQsw
> CQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEZMBcGA1UECxMQUGVzc29h
> IEZpc2ljYSBBMzERMA8GA1UECxMIQVJTRVJQUk8xKzApBgNVBAsTIkF1dG9yaWRh
> ZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxKDAmBgNVBAMTH0VNTUFOVUVMIE5B
> WkFSRU5PIERFIExJTUEgRkVSUk8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> AoIBAQCR3zXAdudH3f9ink4EvkVZmvNwp912HlmW9GIh8EiBX1LNmb0RT54X8/Sw
> W+vaj/udVN+J2mwYQLrZ6n88SbU1/suDqjjjkCV6EkeQ87TUyQ6qUblhbD63kJEa
> C3AXVQsdPCivD7KDMaqC6CK8SzZzXplFsP/EoYsc1JFZcBFll+S+Ila310tsRO8i
> xXouUqBPurPeJs65bYt9Y3ZcrS/3zIImYkpZ8Qy1cyD0PG4x63CfHpZ22iyk/RAW
> nYuDXsiujlLJnS9qNtO/ZKjBIX/GAhPQTtbsxncP7M3+I0UXPrmE+GaLuAzrsyoW
> fokShglZ/MOkMreS8L/m4BVvDwh5AgMBAAGjggKJMIIChTAfBgNVHSMEGDAWgBRk
> 22dbs5UXUoSJtO9nILAIiXwHcTAOBgNVHQ8BAf8EBAMCBeAwWQYDVR0gBFIwUDBO
> BgZgTAECAw0wRDBCBggrBgEFBQcCARY2aHR0cDovL3JlcG9zaXRvcmlvLnNlcnBy
> by5nb3YuYnIvZG9jcy9kcGNzZXJwcm9hY2YucGRmMIHRBgNVHR8EgckwgcYwPKA6
> oDiGNmh0dHA6Ly9yZXBvc2l0b3Jpby5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnBy
> b2FjZnY0LmNybDA+oDygOoY4aHR0cDovL2NlcnRpZmljYWRvczIuc2VycHJvLmdv
> di5ici9sY3IvYWNzZXJwcm9hY2Z2NC5jcmwwRqBEoEKGQGh0dHA6Ly9yZXBvc2l0
> b3Jpby5pY3BicmFzaWwuZ292LmJyL2xjci9zZXJwcm8vYWNzZXJwcm9hY2Z2NC5j
> cmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpodHRwOi8vcmVwb3NpdG9y
> aW8uc2VycHJvLmdvdi5ici9jYWRlaWFzL2Fjc2VycHJvYWNmdjQucDdiMIGrBgNV
> HREEgaMwgaCgPQYFYEwBAwGgNAQyMjUwMzE5NzAyMzE5OTE1NjMwNDE4MDAwMjY5
> OTkxMDAwMDAxMDE4NjgyOTg1U1NQTUGgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAw
> oCgGBWBMAQMFoB8EHTAyOTk5ODA4MDc1MjA4ODAxNzBTQU8gTFVJU01BgRxlbW1h
> bnVlbC5mZXJyb0BzZXJwcm8uZ292LmJyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
> BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAfkATOsGd4grAh8vruyJK38tVVPvU
> NDQu8yoqutJYkWI8NWrlQIdcKLLmrgQpVK10ri8z4geLRjmuSdb9FNOhKgwvOMz3
> 5R+oVlfxuFFuI++03MM+Q3CmxF6ifgeGxVqi9TB97Unw3PusdPqiiPph7qG+Zhtr
> pbcgBJ8EmioT4W8r8Idfh0PcTGPywpTGZKGxT6vA0/ztCcJWo/wrAXu8ilXuarUv
> mUCXegk95+Ca3Z5tAuvNGtnWjUjdVz19gyTa4H2cM8pkT98R4l8PgXXu3qVd4SAn
> a/LwlH6VjzUgWTv9rUTkIozJaMKx/v0vS7EUZR4Gsenq8r/L5XEKUlnk8keN62eU
> 7an8oUofAUNhS50qbMmcf1nB4euTd4X3dVW8urAdXoR10xUj0ADxPZ7P+O15kzg8
> zkJU0UvGj57prna8u2bHMOqmaAX88zzBrflgu63EdBk3lD4lN1h0nylSGIMsXOQ/
> l516VKforHnUwwgPs43NFP/6j7gvUOn3wKT4UsDgUBJ0pUFvX14Pnk229kI+G1lD
> IzeFZbS4er6AZpXMJx3I1gLOCfB8MLF/3/+ofp+y5/Ptflyk8HgHueBEOuZKiKxC
> /sH+x3P5Kr/iGqBGnbsHw4ukO3oNJUOY62OQJynRWZuhs54rnTlzzUlgRtWsBQtX
> 9GY+ttfIpZgFnpc=
> -----END CERTIFICATE-----
>
> DEBUG:mapper_mgr.c:213: unloading mapper module list
> DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
> DEBUG:mapper_mgr.c:145: unloading module ldap
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
> DEBUG:pkcs11_inspect.c:161: releasing pkcs #11 module...
> DEBUG:pkcs11_inspect.c:164: Process completed
>
> --------------------------------------------------------------------------
> ~$ pkcs11_listcerts
> DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057:   - label: eferro
> DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061:   - flags: 060d
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> PIN for token:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id:   28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> Found '1' certificate(s)
> Certificate #1:
> - Subject:   /C=BR/O=ICP-Brasil/OU=Pessoa Fisica A3/OU=ARcompany/OU=Autoridade Certificadora companyACF/CN=EMMANUEL FERRO
> - Issuer:    /C=BR/O=ICP-Brasil/OU=CSPB-1/OU=Servico Federal de Processamento de Dados - company/CN=Autoridade Certificadora do company Final v4
> - Algorithm: rsaEncryption
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
> DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
> DEBUG:pkcs11_listcerts.c:160: Process completed
>
> --------------------------------------------------------------------------
> :~$ sudo login 22222222222
> Smartcard authentication starts
> DEBUG:pam_pkcs11.c:308: username = [22222222222]
> DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057:   - label: eferro
> DEBUG:pkcs11_lib.c:1058:   - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059:   - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060:   - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061:   - flags: 060d
> Token found.
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> Welcome eferro!
> Token PIN:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id:   28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
> DEBUG:ldap_mapper.c:847: test ssltls = tls
> DEBUG:ldap_mapper.c:849: LDAP mapper started.
> DEBUG:ldap_mapper.c:850: debug         = 1
> DEBUG:ldap_mapper.c:851: ignorecase    = 0
> DEBUG:ldap_mapper.c:852: ldaphost      = my-ldap-addr
> DEBUG:ldap_mapper.c:853: ldapport      = 389
> DEBUG:ldap_mapper.c:854: ldapURI       = my-ldap-addr my-ldap-addr2
> DEBUG:ldap_mapper.c:855: scope         = 2
> DEBUG:ldap_mapper.c:856: binddn        = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:857: passwd        = mypass
> DEBUG:ldap_mapper.c:858: base          = dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:859: attribute     = userCertificate
> DEBUG:ldap_mapper.c:860: filter        = (&(objectClass=posixAccount)(uid=%s))
> DEBUG:ldap_mapper.c:861: searchtimeout = 20
> DEBUG:ldap_mapper.c:862: ssl_on        = 2
> DEBUG:ldap_mapper.c:864: tls_randfile  =
> DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
> DEBUG:ldap_mapper.c:866: tls_cacertdir =
> DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
> DEBUG:ldap_mapper.c:868: tls_ciphers   =
> DEBUG:ldap_mapper.c:869: tls_cert      =
> DEBUG:ldap_mapper.c:870: tls_key       =
> DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
> DEBUG:pam_pkcs11.c:551: verifying the certificate #1
> verifying certificate
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:ldap_mapper.c:618: ldap_get_certificate(): begin login = 22222222222
> DEBUG:ldap_mapper.c:623: ldap_get_certificate(): filter_str = (&(objectClass=posixAccount)(uid=22222222222))
> DEBUG:ldap_mapper.c:581: added URI my-ldap-addr
> DEBUG:ldap_mapper.c:581: added URI my-ldap-addr2
> DEBUG:ldap_mapper.c:581: added URI ldap://my-ldap-addr:389
> DEBUG:ldap_mapper.c:682: ldap_get_certificate(): try do_open for my-ldap-addr
> DEBUG:ldap_mapper.c:144: do_init():
> DEBUG:ldap_mapper.c:393: do_open(): do_init failed
> DEBUG:ldap_mapper.c:696: ldap_get_certificate(): do_open failed
> DEBUG:ldap_mapper.c:892: ldap_get_certificate() failed
> DEBUG:mapper_mgr.c:306: Mapper module ldap match() returns 0
> DEBUG:pam_pkcs11.c:634: certificate is valid but does not match the user
> ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
> Error 2336: No matching certificate found
> DEBUG:mapper_mgr.c:213: unloading mapper module list
> DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
> DEBUG:mapper_mgr.c:145: unloading module ldap
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
>
> Login incorrect
> Smartcard authentication starts
> DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your Token or enter your username.
>
> --------------------------------------------------------------------------
> :~$ sudo vim /etc/pam_pkcs11/pam_pkcs11.conf
> --------------------------------------------------------------------------
> pam_pkcs11  {
>          # Allow empty passwords
>          nullok = true;
>
>          # Enable debugging support.
>          debug = true; ##false;
>
>          # Do not prompt the user for the passwords but take them from the
>          # PAM_ items instead.
>          use_first_pass = false;
>
>          # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
>          # is unset.
>          try_first_pass = false;
>
>          # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
>          # previously set (intended for stacking password modules only).
>          use_authtok = true; ##false;
>
>          # Filename of the PKCS #11 module. The default value is "default"
>          use_pkcs11_module = wdtoken;
>
> [...]
>
>          # WatchData
>          pkcs11_module wdtoken {
>                  module = "/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so";
>                  description = "Watchdata token";
>                  slot_num = 0;
>                  support_threads = true;
>                  ca_dir = "/etc/pam_pkcs11/cacerts";
>                  cert_policy = ca, signature;
>                  token_type = Token;
>          }
>
> [...]
>
>          use_mappers = ldap;
>
> [...]
>
>          mapper ldap {
>                  debug = true;
>                  module = "/lib/pam_pkcs11/ldap_mapper.so";
>                  ldaphost = "my.ldap.addr";
>                  ldapport = 389;
>                  URI = "my.ldap.addr my.ldap.addr2";
>                  scope = 2;
>                  binddn = "uid=workstation,ou=serv,ou=corp,dc=company,dc=gov,dc=br";
>                  passwd = "mypass";
>                  base = "dc=company,dc=gov,dc=br";
>                  attribute = userCertificate;
>                  filter = "(&(objectClass=posixAccount)(uid=%s))";
>                  ssl = tls;
>                  tls_cacertfile = "/etc/ssl/certs/389-ca.crt";
>                  tls_checkpeer = 0;
>          }
> }
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter
> informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza,
> reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain
> confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it
> back, elucidating the failure."
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel