[Freeipa-users] Re: Dogtag cert for Active Directory users?

Sat, 01 Oct 2022 03:19:39 -0700 

On la, 01 loka 2022, Sami Hulkko via FreeIPA-users wrote:

Hi,
Is it possible to provide certificate (Dogtag) for AD trusted user that has login rights to IPA trough ID override? 

I'd ask a question in advance: what this certificate would be used for?

ID overrides aren't real users, so you wouldn't be able to use that for
login purposes. Users from trusted Active Directory domains get
authenticated by their own domain's domain controllers, not IPA. So you
cannot use that certificate for something on IPA side other than an SSH
public key authentication. For this, it does not matter who issued the
certificate, any user has a self-service right to update ipaSSHPubKey
attribute, including AD users who can update their own override. 
They can also update their own userCertificate attribute according to
one of default access controles:

aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own 
X.509 certificates";allow (write) userdn = "ldap:///self";;)

but where they could be using this certificate to match for?

In addition, IPA framework does check properties of the accounts that
request certificate issuance and only allows to issue certificates to
IPA users, IPA hosts, and IPA services. ID overrides aren't included,
for reasons outlined above.

For more details on how IPA certificate issuance checks done please see
my response to Sam Morris in May 2022:
https://lists.fedorahosted.org/archives/list/[email protected]/message/7NAZ2AT7FXXVBL42DTKJHCUQNOJBZB27/

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to