URL: https://github.com/SSSD/sssd/pull/570 Title: #570: p11_child: add OpenSSL support

jhrozek commented: """

On 28 May 2018, at 13:21, sumit-bose notifications@github.com wrote:

Hi @jhrozek, thank you for the review.

I added 'certmap: allow missing empty EKU in OpenSSL version' to fix the missing EKU issues. The patch also contains a new test certificate without EKU to make sure libcertmap can handle missing EKUs.

I added default values and man page updates for the CA DB options. I choose /etc/sssd/sssd_auth_ca_db.pem as the default for the OpenSSL build.

OK, I verified that this works. The only question that popped into my mind was if it was cleaner to put the cert into a subdirectory of /etc/sssd instead of directly there (c.f. /etc/openldap/certs). But I don’t have strong feelings either way, it would only be a good idea if we anticipate more files than a single one at some point in the future.

I'd prefer not to use system-wide CA bundles like e.g /etc/pki/tls/certs/ca-bundle.crt because if the certificate is mapped to the user not with the full certificate but only based on parts of the certificate content validating the certificate with CA certificates trusted for authentication becomes important.

I’m sorry, but can you explain this in more detail to me? Why would dropping the CA certificate to the system CA cert store be harmful? Or is it to make sure that not another CA cert if picked, but really the one for SSSD? As you say below, we can use tools to make this work for the IPA case, but for the local users with a smart card case, we would need the admin to configure this manually. In RHEL-7, I would have argued that authconfig could help, but in modern Fedoras authselect won’t.

For the IPA case we can discuss with IPA developers if the ipa-advice helper script for Smartcard authentication can create this file as a link to /var/lib/ipa-client/pki/ca-bundle.pem.

Is there a reason not to do this by default as part of ipa-client-install? Since currently the certificate would only be used during cert auth. In general I prefer to have fewer manual steps to configure the client. """

See the full comment at https://github.com/SSSD/sssd/pull/570#issuecomment-393077194