Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > Hi, > > We have an application that requires Active Directory. In order to > provide SSO, the application gets a user certificate from AD and, as I > understand, uses it towards a RHEL machine as a smart card. I installed > AD's ca certificates on the RHEL client and it works when sssd.conf is > all configured towards AD. > > I've joined the client to AD, as I said, but I do want my `id_provider` > in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. > But when I do this, the authentication doesn't work. > > Is there a way to either force pam/sssd to check the certificates > against AD while still getting groups and names from ldap, or to get > FreeIPA to approve the certificates? > > I know this might be a very corner case, but if we make it works, this > would be beautiful.
IMHO you should cross-post this to the SSSD users list as this seems more their area, https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ I think expanding on your configuration would help too. Are you using the IPA certificate mapping to map the AD-issued certificates to an IPA user for authentication? What is the current provider? Is ipa not sufficient/working? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue