On Fri, Jun 03, 2016 at 02:56:08PM +0200, Jakub Hrozek wrote:
On Fri, May 20, 2016 at 09:13:29PM +0200, Sumit Bose wrote:
Hi,
this set of patches should resolve https://fedorahosted.org/sssd/ticket/2897 "Smart Cards: Certificate in the ID View" and cover all other use cases from https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificatePart2 as well. So basically certificates can be read from IPA and local overrides and from AD with direct in indirect integration.
The patches are all about lookups, so Smartcards and authentication is not needed to test them. All is needed is a certificate which can be added to an AD user object or an override object and then try to lookup the user with
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"BASE64_CERTIFICATE_STRING"
from a IPA client, IPA server or AD client with AD provier.
If the certificate is store in the AD user object and the lookup is started on an IPA client a patch for the IPA server is needed, because the request has to run via the extdom plugin. I'll send a patch to freeipa-devel which will use the sss_nss_getnamebycert() call added by one of the patches to allow the extdom plugin to do lookups by certificate. This means that SSSD on the IPA server must used the attached patches as well.
bye, Sumit
Hi,
so far I read the patches, see comments inline. I haven't tested them yet, feel free to postpone sending new patches until the final ack/nack.
The patches seem to work fine, looking up a non-existing certificate returns the expected error and looking up a valid certificate returns the user. So apart from the nitpicks earlier, I'm fine with the functionality...