Hi,
this set of patches should resolve https://fedorahosted.org/sssd/ticket/2897 "Smart Cards: Certificate in the ID View" and cover all other use cases from https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificatePart2 as well. So basically certificates can be read from IPA and local overrides and from AD with direct in indirect integration.
The patches are all about lookups, so Smartcards and authentication is not needed to test them. All is needed is a certificate which can be added to an AD user object or an override object and then try to lookup the user with
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"BASE64_CERTIFICATE_STRING"
from a IPA client, IPA server or AD client with AD provier.
If the certificate is store in the AD user object and the lookup is started on an IPA client a patch for the IPA server is needed, because the request has to run via the extdom plugin. I'll send a patch to freeipa-devel which will use the sss_nss_getnamebycert() call added by one of the patches to allow the extdom plugin to do lookups by certificate. This means that SSSD on the IPA server must used the attached patches as well.
bye, Sumit