On Mon, 01 Aug 2016, Rob Crittenden wrote:
Tibor Dudlak wrote:

I have added few lines to code to make optional login with personal
certificate (or with smartcard) possible. Some ui changes has to be
made. It is not cosher but it definitely work.

Thank you, Tibor

What about the Apache changes to require a certificate in /ipa/session/login_x509?

Does/will this only support a specially crafted certificate subject?

How/where does the UI get a Kerberos ticket for the user?
That's indeed a problem -- even with the PKINIT support in KDC that Simo
is polishing up now, we don't have a way to obtain a ticket on behalf of
the user because Apache would terminate the SSL negotiation and we
wouldn't be able to use user's certificate to do PKINIT negotiation to
obtain a ticket as a user and then continue running on its behalf.
Neither we would get any Kerberos ticket from the client side.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to