Re: [SSSD-users] ldap_user_certificate
On Mon, Sep 21, 2015 at 09:39:18PM +0200, Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 07:32:47PM +0200, Michael Ströder wrote:
> HI!
>
> What's the option ldap_user_certificate used for in IPA?
> Is it used for a separate map?
> Or is it used e.g. for emulation of signed SSH authorized keys?
>
> Ciao, Michael.
>
(Maybe Sumit or Pavel will correct me later, they implemented most of
the code in this area..)
As you noted, the NSS interface doesn't allow the certificate to be matched
(there's no getpwcert) or even returned (there's no cert field in struct
passwd). But SSSD has also a rich D-Bus interface. In our use-cases it's
mostly used to match a user entry based on certificate during a
smart-card login.
There are some examples here that maybe illustrate the flow better:
http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
yes, this entry is used to support various certificate based
authentications. Currently there is the D-Bus lookup to find a matching
user for application which do the certificate based authentication on its
own, like e.g. apache. In addition to the page above there is
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
with more D-Bus details.
Recently initial support for native Smartcard authentication was added
and a public ssh key can be derived from the certificate as well to
support Smartcard authentication via ssh with suitable clients. More
details can be found at
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep...
HTH
bye,
Sumit
What is your use-case?
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users