I'm wondering if anybody who actually knows this can shed some light on how it works.
I'm attempting to get Certificate Based SmartCards (Yubikeys) to work with FreeIPA so I can connect terminals and have MFA domain wide.
The issue is that on Debian PC's, the process isn't documented very well, or even how all the components interact.
Could anybody shed some light on how each program interacts, from OpenSC to SSSD talking to FreeIPA to validate the Cert, how does it all work?
You can refer to Understanding smart card authentication [1] for a high level overview. The guide also contains a section for troubleshooting [2] which may help understand the tools you can use.
From FreeIPA point of view, the most important notion is that you need to be able to link a certificate to a user. This can be done either by storing the full certificate in the user entry, or by expressing a mapping rule that explains how to find the user associated with the certificate.
During the authentication, SSSD receives the certificate and performs a LDAP search on the users subtree, looking for a matching user. By default, it uses a search filter like "(usercertificate=<full cert>)", meaning "Look for a user that has this certificate in its LDAP entry".
If you are using a Yubikey, you must refer to yubico-piv-tool man page for setting a pin and management key, generating a csr, adding the cert on the card etc... [3]
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue