On Tue, Mar 03, 2020 at 04:38:16PM -0000, Hristina Marosevic wrote:
Hello,
Thank you for information. I can use this options (OCSP URL, trust cert location) once I
make SSSD derive public keys from user certificate which is a problem that I can not
solve, so far.
The default mapping of the user certificate is from userCertificate;binary LDAP attribute
to SSSD option ldap_user_certificate, but when I have only the certificate in the LDAP
entry (and not the public key, also - as a value of another attribute of the entry - later
configured in sssd), the key is not derived. Another combination that I have tried is
storing the user certificate in the userCertificate;binary attribute and storing the
exported public key as a value of another LDAP attribute but it didn't prove to be a
solution - this is like that because I experimented cases with different public key and
user certificate for one user and the user was accepted without problem - which means that
SSSD did not validated the public key against the user certificate provided by LDAP
Can you please give me instructions on how to configure SSSD to derive the publiy key
from a user certificate (I would like to store only the user certificate in LDAP, not the
user certificate and the exported public key - if possible)?
Hi,
just using the certificate is the expected way how to do it.
In which LDAP attribute is you certificate stored and in which format?
Can you send an example of an LDAP user object with all attributes? The
attribute value can be sanitized if needed but it would be helpful to
see the real attribute names.
Can you send your current sssd.conf as well since this would help tp see
what might be missing.
bye,
Sumit
BR,
Hristina
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...