On Mon, Jul 26, 2021 at 5:05 AM Assaf Morami <assaf.morami(a)gmail.com> wrote:
Is it possible to turn off certificate matching against AD, and just
use the username while taking the certificate directly from the
smart card?
For sssd 2.1.0 and later, you should be able to use sss-certmap(5) to
accomplish this, yes.
But for sssd before 2.1.0, the *only* mechanism sssd has to map
smartcard certificates to user AD objects is userCertificate
searching.
On my setup it's not feasible to attach certificates to user on
AD,
that's why I'm looking for a workaround.
If you cannot put certificates into the userCertificate field in AD,
the only work-around is to upgrade to sssd 2.1.0 or later.
(We briefly considered doing that on RHEL7, but quickly abandoned it
due to the effort involved.)