Hi, On Tue, Jan 24, 2023 at 11:26 PM r0 nam1 via FreeIPA-users < [email protected]> wrote:
> I'm wondering if anybody who actually knows this can shed some light on > how it works. > I'm attempting to get Certificate Based SmartCards (Yubikeys) to work with > FreeIPA so I can connect terminals and have MFA domain wide. > The issue is that on Debian PC's, the process isn't documented very well, > or even how all the components interact. > Could anybody shed some light on how each program interacts, from OpenSC > to SSSD talking to FreeIPA to validate the Cert, how does it all work? > You can refer to Understanding smart card authentication [1] for a high level overview. The guide also contains a section for troubleshooting [2] which may help understand the tools you can use. >From FreeIPA point of view, the most important notion is that you need to be able to link a certificate to a user. This can be done either by storing the full certificate in the user entry, or by expressing a mapping rule that explains how to find the user associated with the certificate. During the authentication, SSSD receives the certificate and performs a LDAP search on the users subtree, looking for a matching user. By default, it uses a search filter like "(usercertificate=<full cert>)", meaning "Look for a user that has this certificate in its LDAP entry". If you are using a Yubikey, you must refer to yubico-piv-tool man page for setting a pin and management key, generating a csr, adding the cert on the card etc... [3] flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/assembly_understanding-smart-card-authentication_managing-smart-card-authentication [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/assembly_troubleshooting-authentication-with-smart-cards_managing-smart-card-authentication [3] https://developers.yubico.com/yubico-piv-tool/Manuals/yubico-piv-tool.1.html > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
