On Mon, Sep 21, 2015 at 07:32:47PM +0200, Michael Ströder wrote:
HI!
What's the option ldap_user_certificate used for in IPA?
Is it used for a separate map?
Or is it used e.g. for emulation of signed SSH authorized keys?
Ciao, Michael.
(Maybe Sumit or Pavel will correct me later, they implemented most of
the code in this area..)
As you noted, the NSS interface doesn't allow the certificate to be matched
(there's no getpwcert) or even returned (there's no cert field in struct
passwd). But SSSD has also a rich D-Bus interface. In our use-cases it's
mostly used to match a user entry based on certificate during a
smart-card login.
There are some examples here that maybe illustrate the flow better:
http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
What is your use-case?