Hello all,

I would like to discuss the scope needed for ticket 4905 [1]. This is mostly question for Sumit as he is working on the SSSD SC support. The main minimal target is to allow SSSD get a ticket for a user once he authenticates with his SC with certificates tracked in FreeIPA as agreed in [2].

Sumit, Simo or others, what changes are required in order to do this? In [1], I so far identified:

* Support of Smart Cards in SSSD (​upstream ticket)
* API/CLI for configuring the trusted CA certificate in KDC (related - #616)

as the base. What else is needed? Any krb5.conf changes on the server/clients? Or even generating the certs/keys as mentioned in [3]?

In current code base, we still have the disabled pkinit plugin [4], but I assume this is not what we want.

Thanks for help and advise. Based on what is found out in this thread, we will see what's realistic for FreeIPA 4.2 or FreeIPA 4.2.x.

[1] https://fedorahosted.org/freeipa/ticket/4905
[2] http://www.freeipa.org/page/V4/User_Certificates
[3] https://fedorahosted.org/freeipa/ticket/55#comment:3
[4] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/pkinit.py

Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to