URL: https://github.com/freeipa/freeipa/pull/851 Author: abbra Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Action: opened

PR body: """ We automatically add 'otp' and 'radius' authentication indicators when pre-authentication with OTP or RADIUS did succeed. Do the same for certauth-based pre-authentication (PKINIT).

A default PKINIT configuration does not add any authentication indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf. Unfortunately, modifying kdc.conf automatically is a bit more complicated than modifying krb5.conf. Given that we have 'otp' and 'radius' authentication indicators also defined in the code not in the kdc.conf, this change is following an established trend.

SSSD certauth interface does not provide additional information about which rule(s) succeeded in matching the incoming certificate. Thus, there is not much information we can automatically provide in the indicator. It would be good to generate indicators that include some information from the certmapping rules in future but for now a single 'pkinit' indicator is enough.

Fixes https://pagure.io/freeipa/issue/6736 """

To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/851/head:pr851 git checkout pr851