On Sun, Jul 18, 2021 at 1:26 PM Assaf Morami <[email protected]> wrote:
> Is it possible to have an AD + Smart Card setup, without having the > user certificate in AD? meaning have sssd take the certificate > straight from the smart card. Starting with sssd 2.1.0, sssd can map smart card certificates to AD users by using the certmap; see sss-certmap(5). For sssd 1.x and 2.0.x, sssd performs user matching by searching AD for a user object whose userCertificate parameter matches the certificate on the smart card. Which means you have to pre-load smartcard certificates into AD for Linux sssd smartcard authentication to work. > If not, is it possible with sss_override to insert the certificate > to the sssd cache right before each login? That's not going to help—sssd already has the certificate; it reads it from the smart card. The issue is that sssd needs to be able to identify the correct AD user object that corresponds to the certificate on the smart card. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
