hello Jessie,
On Mon, Feb 4, 2019 at 5:10 PM Jessie Floyd via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I want to prevent user access if the OCSP responder does not return
a
valid/successful result. Only those users with a confirmed OCSP response
will be allowed access to the systems. I don't find a flag in sssd.confg
which would force this type operation. I've also looked over the IPA/idM
installation guide and don't find a reference on how to implement / force
an OCSP check for externally signed user certificates.
Sumit's answer applies, I think. If the certificate includes an ocsp uri,
sssd will use it. So out of the box it will work. This can be problematic
for laptop users without network connectivity and access to the ocsp
responder, by the way.
--
Groeten,
natxo