Hi,
On Tue, Jan 24, 2023 at 11:26 PM r0 nam1 via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I'm wondering if anybody who actually knows this can shed some
light on
how it works.
I'm attempting to get Certificate Based SmartCards (Yubikeys) to work with
FreeIPA so I can connect terminals and have MFA domain wide.
The issue is that on Debian PC's, the process isn't documented very well,
or even how all the components interact.
Could anybody shed some light on how each program interacts, from OpenSC
to SSSD talking to FreeIPA to validate the Cert, how does it all work?
You can refer to Understanding smart card authentication [1] for a high
level overview. The guide also contains a section for troubleshooting [2]
which may help understand the tools you can use.
From FreeIPA point of view, the most important notion is that you need to
be able to link a certificate to a user. This can be done either by storing
the full certificate in the user entry, or by expressing a mapping rule
that explains how to find the user associated with the certificate.
During the authentication, SSSD receives the certificate and performs a
LDAP search on the users subtree, looking for a matching user. By default,
it uses a search filter like "(usercertificate=<full cert>)", meaning
"Look
for a user that has this certificate in its LDAP entry".
If you are using a Yubikey, you must refer to yubico-piv-tool man page for
setting a pin and management key, generating a csr, adding the cert on the
card etc... [3]
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
[3]
https://developers.yubico.com/yubico-piv-tool/Manuals/yubico-piv-tool.1.html
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue