On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> I'm having a hard time understanding how cert mapping is supposed to work
> offline. Currently I have the following certmap config (this is on
> RHEL8-beta):
>
> [certmap/ad.example.com/smartcard]
> maprule =
> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
>
> to map the CN on the card to 'samAccountName' in AD. This works as long as
> I'm online (access to AD), but when I go offline (disconnect network) the
> maprule is not working. I thought that the mapping would then use the sssd
> cache but apparantly not - so how is smartcard login supposed to work
> offline?
The cached data should be used in the offline case. Do your certificates
contain the OCSP extension? If this is present SSSD will use it by
default to validate the certificate which will fail if the system is
offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with
debug_level=9. The most important ones for the offline case would be
sssd_pam.log and p11_child.log.
bye,
Sumit
>
> Regards
> Adam
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
