From: "John Magne" <jmagne(a)redhat.com&gt; To: "pki-devel" <pki-devel(a)redhat.com&gt; Sent: Tuesday, August 16, 2016 5:15:49 PM Subject: [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch [PATCH] Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working. Ticket #1578 The fixing of this problem required the following: 1. Hook up a java callback that is designed to allow the selection of a candidate client auth cert to be sent to Ldap in the LdapSSLSocket factory object. Previously we simply manually set the desired client auth cert nickname, which is provided by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method. Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being requested by the server. We get to see the list of candidate certs and when we match one of those with the requested cert name, established by the console. This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from an external authentication directory. 2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level. 3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.