Hello.
Is it possible to replicate the digest mapping feature of pam_pkcs11 in sssd?
We have built our infrastructure around the notion of mapping users to
certificates based on the certificate digest. With the removal of pam_pkcs11
from recent distros (including RHEL 8) we are faced with either changing our
mapping scheme (potentially a lot of work) or making this work in sssd. This is
a snippet of what we do today:
--- snip pam_pkcs11.conf ---
# digest - elaborate certificate digest and map it into a file
mapper digest {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
# algorithm used to evaluate certificate digest
# Select one of:
# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
algorithm = "sha1";
mapfile = file:///etc/pam_pkcs11/digest_mapping;
# mapfile = "none";
}
--- snip ---
# snippet of digest_mapping file (the values have been obfuscated)
[root@friday-vm]# grep jim digest_mapping
11:BC:53:F1:EF:24:B4:9C:47:ED:7D:EC:2B:82:CB:93:61:F8:88:4F -> jim
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
