Hi, please find more information regarding smart card mapping in the man page for sss-certmap(5) and in the chapter *Certificate Mapping Rules for Configuring Authentication on Smart Cards* [1] of *Linux Domain Identity, Authentication, and Policy Guide*. IdM allows you to configure rules that describe how to associate a certificate with a user. The rule extracts information from the certificate, and builds a LDAP search filter that should return a matching entry.
HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/configuring-certificate-mapping-rules-in-identity-management On Tue, Jul 13, 2021 at 8:14 AM Angelo Alvarez via FreeIPA-users < [email protected]> wrote: > Aloha. I've configured our IdM server as an OpenLDAP identity provider > for our VMware vCenter 6.7 server. I'm able to login to our vCenter as the > IdM user with username and password, but I'm unable to authenticate using > smart card authentication. My IdM domain is "xxxx.xxxx.mil", but my > smart card is issued by the DoD, and the Subject Alternative Name (SAN) on > my identity certificate shows ex."Principal Name=1234567897000@mil". > When we used Active Directory authentication with vCenter, the user account > properties for UPN needed to match the SAN value (ex.1234567897000@mil) > from the users identiy certificate. That said, if our domain name is "" > xxxx.xxxx.mil", is it possible to have an IdM user account with username > "first.last.usr" and a SSL certificate mapping that uses all or a portion > of the SAN value (ex. "Principal Name=123456789700@mil") for smart card > authentication? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
