URL:
https://github.com/SSSD/sssd/pull/570
Title: #570: p11_child: add OpenSSL support
sumit-bose commented:
"""
Hi @jhrozek, thank you for the review.
I added 'certmap: allow missing empty EKU in OpenSSL version' to fix the missing
EKU issues. The patch also contains a new test certificate without EKU to make sure
libcertmap can handle missing EKUs.
I added default values and man page updates for the CA DB options. I choose
/etc/sssd/sssd_auth_ca_db.pem as the default for the OpenSSL build. I'd prefer not to
use system-wide CA bundles like e.g /etc/pki/tls/certs/ca-bundle.crt because if the
certificate is mapped to the user not with the full certificate but only based on parts of
the certificate content validating the certificate with CA certificates trusted for
authentication becomes important.
For the IPA case we can discuss with IPA developers if the ipa-advice helper script for
Smartcard authentication can create this file as a link to
/var/lib/ipa-client/pki/ca-bundle.pem.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/570#issuecomment-392500377