with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code