On Tue, Mar 03, 2020 at 04:38:16PM -0000, Hristina Marosevic wrote:
Hello,
Thank you for information. I can use this options (OCSP URL, trust cert location) once I make SSSD derive public keys from user certificate which is a problem that I can not solve, so far. The default mapping of the user certificate is from userCertificate;binary LDAP attribute to SSSD option ldap_user_certificate, but when I have only the certificate in the LDAP entry (and not the public key, also - as a value of another attribute of the entry - later configured in sssd), the key is not derived. Another combination that I have tried is storing the user certificate in the userCertificate;binary attribute and storing the exported public key as a value of another LDAP attribute but it didn't prove to be a solution - this is like that because I experimented cases with different public key and user certificate for one user and the user was accepted without problem - which means that SSSD did not validated the public key against the user certificate provided by LDAP
Can you please give me instructions on how to configure SSSD to derive the publiy key from a user certificate (I would like to store only the user certificate in LDAP, not the user certificate and the exported public key - if possible)?
Hi,
just using the certificate is the expected way how to do it.
In which LDAP attribute is you certificate stored and in which format? Can you send an example of an LDAP user object with all attributes? The attribute value can be sanitized if needed but it would be helpful to see the real attribute names.
Can you send your current sssd.conf as well since this would help tp see what might be missing.
bye, Sumit
BR, Hristina _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...