Hi all,
Is it possible to have an AD + Smart Card setup, without having the user certificate in AD? meaning have sssd take the certificate straight from the smart card.
If not, is it possible with sss_override to insert the certificate to the sssd cache right before each login?
Thanks, Assaf.
On Sun, Jul 18, 2021 at 1:26 PM Assaf Morami assaf.morami@gmail.com wrote:
Is it possible to have an AD + Smart Card setup, without having the user certificate in AD? meaning have sssd take the certificate straight from the smart card.
Starting with sssd 2.1.0, sssd can map smart card certificates to AD users by using the certmap; see sss-certmap(5).
For sssd 1.x and 2.0.x, sssd performs user matching by searching AD for a user object whose userCertificate parameter matches the certificate on the smart card. Which means you have to pre-load smartcard certificates into AD for Linux sssd smartcard authentication to work.
If not, is it possible with sss_override to insert the certificate to the sssd cache right before each login?
That's not going to help—sssd already has the certificate; it reads it from the smart card. The issue is that sssd needs to be able to identify the correct AD user object that corresponds to the certificate on the smart card.
Hi James, thanks for the swift response.
Is it possible to turn off certificate matching against AD, and just use the username while taking the certificate directly from the smart card?
On my setup it's not feasible to attach certificates to user on AD, that's why I'm looking for a workaround.
Thanks, Assaf.
On Mon, Jul 26, 2021 at 10:43 AM Assaf Morami assaf.morami@gmail.com wrote:
Hi James, thanks for the swift response.
Is it possible to turn off certificate matching against AD, and just use the username while taking the certificate directly from the smart card?
But matching by username is still matching. You need to match based on something in the cert, otherwise everybody will be able to present any smart card, right?
Is this username embedded into the certificate? In the subject maybe?
On my setup it's not feasible to attach certificates to user on AD, that's why I'm looking for a workaround.
Thanks, Assaf. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Yeah the username is in the SAN field inside the UPM.
On Tue, Jul 27, 2021 at 7:02 AM Assaf Morami assaf.morami@gmail.com wrote:
Yeah the username is in the SAN field inside the UPM.
So you could match and map by SAN field?
On Mon, Jul 26, 2021 at 5:05 AM Assaf Morami assaf.morami@gmail.com wrote:
Is it possible to turn off certificate matching against AD, and just use the username while taking the certificate directly from the smart card?
For sssd 2.1.0 and later, you should be able to use sss-certmap(5) to accomplish this, yes.
But for sssd before 2.1.0, the *only* mechanism sssd has to map smartcard certificates to user AD objects is userCertificate searching.
On my setup it's not feasible to attach certificates to user on AD, that's why I'm looking for a workaround.
If you cannot put certificates into the userCertificate field in AD, the only work-around is to upgrade to sssd 2.1.0 or later.
(We briefly considered doing that on RHEL7, but quickly abandoned it due to the effort involved.)
On Tue, Jul 27, 2021 at 5:49 PM James Ralston ralston@pobox.com wrote:
If you cannot put certificates into the userCertificate field in AD, the only work-around is to upgrade to sssd 2.1.0 or later.
(We briefly considered doing that on RHEL7, but quickly abandoned it due to the effort involved.)
`sss-certmap` was backported to 1-16 upstream branch via https://github.com/SSSD/sssd/pull/5176 and later backported to RHEL7 starting with sssd-1.16.5-10.el7_9.7 (https://bugzilla.redhat.com/show_bug.cgi?id=1736845)
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Assaf Morami -
James Ralston