On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote: > > On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote: > > .... > > > > Hi, > > > > I'm sorry, I haven't read one of your earlier emails carefully enough, > > please do not use "certificate_verification = no_ocsp, no_verification" > > but only > > > > certificate_verification = no_verification > > > > 'no_ocsp' implies verification but without OCSP so using both options is > > an inconsistency. > > > > bye, > > Sumit
Hi, about 'certificate_verification = no_verification', there is an issue which was fixed by https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be but the fix is not in the build you are using. So better continue with 'certificate_verification = no_ocsp'. > > > Besides this, I thought of another scenario which may help me validate the > certificate. I can add certificate_verification=no_ocsp instead of > certificate_verification=no_verification in [sssd] section of sssd.conf file, > and store the trust on the server - in that case, where should I store the > trust and is it enought just to provide the root CA certificate, or it is > needed to store the intermediate CAs certificates? Also, in which format? Please add all CA certificates to the NSS database /etc/pki/nssdb with the help of the certutil command: certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d /etc/pki/nssdb each CA certificate should get an individual nickname. If your CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END CERTIFICATE lines) you might need to add a '-a' option as well. If there are still issues please send the strace output. HTH bye, Sumit > > If this won't work, I really have no idea of any other options for testing > the PKI based authentication, so if you have any other ideas, I will > appreciate if you share it. > > > Thank you for your help! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
