Having read the "Automated enrollment of FreeIPA host" thread
<https://lists.fedorahosted.org/archives/list/[email protected]/thread/YSPY5UD3NCJHAGH57IVFO37B2R7G5UM3/#KSEAZQ6RKNM7DBJ4IP5BXGTEA7U4IUJM>
earlier in the year, I've written up some notes that I made while
implementing it on my domain, which might be of interest to other users:
https://robots.org.uk/FreeIPA#Automating_host_enrollment_with_PKINIT
I decided to create a more complex certificate mapping rule which
matches on the certificate's Kerberos principal name as well as its
DNS-ID. The advantage of this approach is that it prevents certificates
without a Kerberos principal name from being used for PKINIT at all, and
it also stops a host and the services running on it from using their
certificates to authenticate as each other.
There's also some info about the details of the two different ways to
add a Kerberos principal name to certificates, and examples of using
OpenSSL to add the `szOID_NT_PRINCIPAL_NAME` type of otherName.
I noticed that sss-certmap(5) documents an extended form of the <SAN>
component rule that is not present in krb5.conf(5) (e.g.,
<SAN:Principal>). I was wondering how these actually work - does krb5kdc
KDC call into an SSSD plugin that implements these extra matching rule
components?
Thanks!
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
