On Wed, Feb 26, 2020, at 4:38 AM, Hristina Marosevic wrote:
I am using SSSD with LDAP directory which provides public keys for each
user entry to SSSD.
I am not sure if it is possible to configure SSSD not just to accept
the private key (provided by the user during the login) and
authenticate the user from LDAP (where his public ke is stored), but
also to check the:
- trust (validation of the CA used for signing the user's certificate
i.e. public key)
- validity of a user certificate with its public key (its "from" -
- revocation status (configuration of SSSD with CRL lists or OCSP)
SSSD manages all of these. What it does not manage for SSH is whether the certificate from
LDAP actually matches the user, which allows users to grant SSH access "as
himself" to anyone else in the organization. (If, as in the case of AD, users can
modify their own userCertificate attribute.
or should I manage this on the LDAP side or on application level or
I would be grateful if you share your ideas about the possible
solutions of this situation!