Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto Medeiros-Logeay via FreeIPA-users: > > > > On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users > > <[email protected]> wrote: > > > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > >> Hi, > >> > >> We have an application that requires Active Directory. In order to > >> provide SSO, the application gets a user certificate from AD and, as I > >> understand, uses it towards a RHEL machine as a smart card. I installed > >> AD's ca certificates on the RHEL client and it works when sssd.conf is > >> all configured towards AD. > >> > >> I've joined the client to AD, as I said, but I do want my `id_provider` > >> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. > >> But when I do this, the authentication doesn't work. > >> > >> Is there a way to either force pam/sssd to check the certificates > >> against AD while still getting groups and names from ldap, or to get > >> FreeIPA to approve the certificates? > >> > >> I know this might be a very corner case, but if we make it works, this > >> would be beautiful. > > > > Thanks Rob! > > > IMHO you should cross-post this to the SSSD users list as this seems > > more their area, > > https://lists.fedorahosted.org/archives/list/[email protected]/ > > I posted it there first, tbh, but got no reply. > > > I think expanding on your configuration would help too. Are you using > > the IPA certificate mapping to map the AD-issued certificates to an IPA > > user for authentication? > > No. The users are the same on both - same uid, gid, etc, but no connection, > trust, or anything. > The mapping on sssd.conf is this one: > > [certmap/mydomain.com/truesso] #Add this section and following > lines to set match and map rule for certificate user > matchrule = <EKU>msScLogin > maprule = > (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) > domains = mydomain.com > priority = 10 > > When id_provider = ad, it works, but not when it is `ldap`. But the users, in > principle, are the same. Could it be those attributes that are wrong?
Hi, with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which is basically 'auth_provider = krb5' and Smartcard authentication is done the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be 'ldap' as well, so you might have to explicitly add 'auth_provider = krb5' Additionally, the 'maprule' is looking for LDAP attributes, so you IPA user must at least have the 'userPrincipal' attribute set with the principal which is stored in the subject alternative names of the certificate. Feel free to add 'debug_level = 9' to the [pam] and [domain/...] sections of sssd.conf, restart SSSD, try again and send the SSSD logs here. bye, Sumit > > > What is the current provider? Is ipa not sufficient/working? > > > It’s ad for everything else, except for `id`, which is ldap. I should try > `ipa`, but since I am using ldap configuration, I think it won’t make any > difference. > > Best, > Francis > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
