Relevant OCSP response if user account disabled in AD

laurivosandi / certidude

Easy to use Certificate Authority web service for OpenVPN, StrongSwan and HTTPS

MIT License

126 stars 30 forks source link

Relevant OCSP response if user account disabled in AD #45

Open laurivosandi opened 6 years ago

laurivosandi commented 6 years ago

Currently OCSP responder returns ok regardless of user account status in AD. Certidude should have config to handle this

By default return not ok response on OCSP if certificate was issued to a user (CN=user@machine-id) and user is disabled (UserAccountControl flags)
Optionally revoke certificate as soon as user is disabled
Do not check user status

plaes commented 6 years ago

Also two extra scenarios where UserAccountControl attribute is not enough:

AD Account expiration date should be read separately from accountExpires attribute
AD Account lockout info is stored in lockoutTime

And then there's also pwdLastSet mess because password expiration is read from domain root object's pwdMaxAge attribute, but one should take account the neverExpires bit in UserAccountControl. Though I guess Certidude should not care about the password...