On ti, 13 heinä 2021, Florence Renaud via FreeIPA-users wrote:
Hi,
please find more information regarding smart card mapping in the man page
for sss-certmap(5) and in the chapter *Certificate Mapping Rules for
Configuring Authentication on Smart Cards* [1] of *Linux Domain Identity,
Authentication, and Policy Guide*.
IdM allows you to configure rules that describe how to associate a
certificate with a user. The rule extracts information from the
certificate, and builds a LDAP search filter that should return a matching
entry.
See also https://github.com/fftux/idm-smartcard-playbooks for some
Ansible playbooks that automate the setup for DoD-like environments.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/configuring-certificate-mapping-rules-in-identity-management
On Tue, Jul 13, 2021 at 8:14 AM Angelo Alvarez via FreeIPA-users <
[email protected]> wrote:
Aloha. I've configured our IdM server as an OpenLDAP identity provider
for our VMware vCenter 6.7 server. I'm able to login to our vCenter as the
IdM user with username and password, but I'm unable to authenticate using
smart card authentication. My IdM domain is "xxxx.xxxx.mil", but my
smart card is issued by the DoD, and the Subject Alternative Name (SAN) on
my identity certificate shows ex."Principal Name=1234567897000@mil".
When we used Active Directory authentication with vCenter, the user account
properties for UPN needed to match the SAN value (ex.1234567897000@mil)
from the users identiy certificate. That said, if our domain name is ""
xxxx.xxxx.mil", is it possible to have an IdM user account with username
"first.last.usr" and a SSL certificate mapping that uses all or a portion
of the SAN value (ex. "Principal Name=123456789700@mil") for smart card
authentication?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
