1:50 a.m.
On ti, 13 heinä 2021, Florence Renaud via FreeIPA-users wrote:
Hi,
please find more information regarding smart card mapping in the man page
for sss-certmap(5) and in the chapter *Certificate Mapping Rules for
Configuring Authentication on Smart Cards* [1] of *Linux Domain Identity,
Authentication, and Policy Guide*.
IdM allows you to configure rules that describe how to associate a
certificate with a user. The rule extracts information from the
certificate, and builds a LDAP search filter that should return a matching
entry.
See also https://github.com/fftux/idm-smartcard-playbooks for some
Ansible playbooks that automate the setup for DoD-like environments.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
On Tue, Jul 13, 2021 at 8:14 AM Angelo Alvarez via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Aloha. I've configured our IdM server as an OpenLDAP identity provider
> for our VMware vCenter 6.7 server. I'm able to login to our vCenter as the
> IdM user with username and password, but I'm unable to authenticate using
> smart card authentication. My IdM domain is "xxxx.xxxx.mil", but my
> smart card is issued by the DoD, and the Subject Alternative Name (SAN) on
> my identity certificate shows ex."Principal Name=1234567897000@mil".
> When we used Active Directory authentication with vCenter, the user account
> properties for UPN needed to match the SAN value (ex.1234567897000@mil)
> from the users identiy certificate. That said, if our domain name is ""
> xxxx.xxxx.mil", is it possible to have an IdM user account with username
> "first.last.usr" and a SSL certificate mapping that uses all or a portion
> of the SAN value (ex. "Principal Name=123456789700@mil") for smart card
> authentication?
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland