Learn more about these different git repos.
Other Git URLs
FreeIPA ticket https://fedorahosted.org/freeipa/ticket/4238 asks for ability to map CAC identity certificates to users in IdM. When this is implemented, we will need a way to make a lookup using sssd based on the certificate or certificate attribute(s).
One use case is: Apache is configured to do SSL client authentication based on mod_ssl (or mod_nss). When the authentication passes, SSL_ variables are set, including SSL_CLIENT_S_DN, SSL_CLIENT_S_DN_, or SSL_CLIENT_CERT. If the information about the certificate or the whole PEM-encoded certificate is stored in IdM database, it should be possible to amend for example mod_lookup_identity to query sssd, and lookup the username based on SSL_CLIENT_CERT. We are looking for something like org.freedesktop.sssd.infopipe.!LookupUserUsingCert but the name of the method (or how exactly this should be exposed) is to be determined.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.13 beta owner: somebody => sbose
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1202724
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1202724 1202724]
The scope of the underlying work is bigger here. One should be able to authenticate with a cert on a smart card against IPA or AD in the first place. Then also see: https://fedorahosted.org/freeipa/ticket/4955.
Replying to [comment:3 dpal]:
Yes, I think that's why Sumit kindly volunteered to own this ticket.
Yes, but please note that for the use case mentioned above the authentication happens outside of SSSD and only the lookup has to be implemented in SSSD.
The general case for SSSD including authentication is covered in #546. But since the use lookup by certificate is needed for #546 too, this ticket here is a good way to split the tasks.
patch: 0 => 1
I'm sorry, I forgot to mark this ticket as closed. The related patches were:
milestone: SSSD 1.13 beta => SSSD 1.13 alpha resolution: => fixed sensitive: => 0 status: new => closed
The final solution uses org.freedesktop.sssd.infopipe.Users.!FindByCertificate: https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
Metadata Update from @adelton: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13 alpha
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3637
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.