Hi! This is our currently working setup: - AD Domain: ourdomain.local (working fine for Windows users' authentication, Domain Controllers, etc...) - IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the Domain Controllers) - AD users can login to the IPA Server with their AD credentials.
Goal: Allow AD users to add and manage their own certificates for different services (VPN access and the like). The workflow would be something like: 1. Users adds a new CSR. (The user creates his key and generates the CSR locally) 2. IPA admins approve and issue the certificate. 3. The user downloads the certificate. "Local" IPA users can add certificate requests in their profile by clicking on Actions > New Certificate. AD users are only allowed to edit their profile description, GECOS, Login shell, add SSH public keys and add Certificates in PEM format, not add Certificate Requests. We have tried a few things already: - Certificate Mappings. They are designed for user authentication to idm.ourdomain.local, no go. - From the docs https://www.freeipa.org/page/Active_Directory_trust_setup: Allow access for users from AD domain to protected resources: Which "protected resource" allows for users' certificates? - From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD users can administer IDM, but they cannot add a new Certificate Signing Request to their own profile. Any ideas? Sorry for the length of the post... TIA Pedro. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure