starred/certidude-laurivosandi
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude.git synced 2026-04-25 00:25:57 +03:00
Code Issues 29 Projects Releases Packages Wiki Activity

[GH-ISSUE #45] Relevant OCSP response if user account disabled in AD #37

New issue
Open
opened 2026-02-26 03:33:32 +03:00 by kerem · 1 comment
kerem commented 2026-02-26 03:33:32 +03:00
Owner
Copy link

Originally created by @laurivosandi on GitHub (Mar 1, 2018).
Original GitHub issue: https://github.com/laurivosandi/certidude/issues/45

Currently OCSP responder returns ok regardless of user account status in AD. Certidude should have config to handle this

  • By default return not ok response on OCSP if certificate was issued to a user (CN=user@machine-id) and user is disabled (UserAccountControl flags)
  • Optionally revoke certificate as soon as user is disabled
  • Do not check user status
Originally created by @laurivosandi on GitHub (Mar 1, 2018). Original GitHub issue: https://github.com/laurivosandi/certidude/issues/45 Currently OCSP responder returns ok regardless of user account status in AD. Certidude should have config to handle this - By default return not ok response on OCSP if certificate was issued to a user (CN=user@machine-id) and user is disabled (UserAccountControl flags) - Optionally revoke certificate as soon as user is disabled - Do not check user status
kerem commented 2026-02-26 03:33:33 +03:00
Author
Owner
Copy link

@plaes commented on GitHub (Mar 1, 2018):

Also two extra scenarios where UserAccountControl attribute is not enough:

  • AD Account expiration date should be read separately from accountExpires attribute
  • AD Account lockout info is stored in lockoutTime

And then there's also pwdLastSet mess because password expiration is read from domain root object's pwdMaxAge attribute, but one should take account the neverExpires bit in UserAccountControl. Though I guess Certidude should not care about the password...

<!-- gh-comment-id:369525182 --> @plaes commented on GitHub (Mar 1, 2018): Also two extra scenarios where `UserAccountControl` attribute is not enough: * AD Account expiration date should be read separately from `accountExpires` attribute * AD Account lockout info is stored in `lockoutTime` And then there's also `pwdLastSet` mess because password expiration is read from domain root object's `pwdMaxAge` attribute, but one should take account the `neverExpires` bit in `UserAccountControl`. Though I guess Certidude should not care about the password...
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dev
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/certidude-laurivosandi#37
No description provided.