Is anyone using sssd to perform smartcard authentication directly against Microsoft Active Directory, without using IPA? If so, what did you have to do in order to get it working?
In our AD domain, the userPrincipalName attribute contains the address of what I assume is the CN of the smartcard that corresponds to that user. I don't see any other attributes set in AD that look like they're related to smartcard authentication (i.e., no certificates), so everything must drive from the userPrincipalName attribute. (We use a one-smartcard-per-account model, so we have no altSecurityIdentities attributes.) Our Windows guys don't know for certain, but I believe that the smartcard authentication employs PKINIT. (I don't see how else it would work, honestly.) Pretty much the only sssd configuration options I see related to smartcard authentication are pam_cert_auth and pam_cert_db_path. Is it really the case that all I have to do is set pam_cert_auth to "true" and smartcard logins will just magically work, because sssd will look at the userPrincipalName attribute in AD and just Do The Right Thing? I mean, it can't be that easy, can it? :-P Thanks in advance for any advice or tips. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/T7PUHKUB2ZBIRX7VNXO5LLE7KGOUBSHX/
