On Thu, 2016-10-13 at 18:52 +0200, Sumit Bose wrote: > ==== Compatibility with Active Directory ==== > Active Directory uses a per-user LDAP attribute > [https://msdn.microsoft.com/en-us/library/cc220106.aspx > altSecurityIdentities] to allow arbitrary user-certificate mappings is there > is no suitable user-principal-name entry in the SAN of the certificate. > > Unfortunately it is more or less undocumented how AD use the values of > this attribute. The best overview I found is in > https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/.
A few more pointers Sumit: - This describes what is allowed for users: https://msdn.microsoft.com/en-us/library/ms677943%28v=vs.85%29.aspx - This describes a use for devices: https://msdn.microsoft.com/en-us/library/dn408946.aspx - additional description specific for PKINIT: https://msdn.microsoft.com/en-us/library/hh536384.aspx - This is a good detailed overview of the Smart Card logon workflow in windows, it describes Vista but I do not think it changed in fundamental ways in following releases: https://msdn.microsoft.com/en-us/library/bb905527.aspx NOTE: Please look at the small paragraph named "Smart card logon across forests", we definitely want to think about this problem as well from the get-go and not try to retrofit something later on. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code