> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users > <[email protected]> wrote: > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >> Hi, >> >> We have an application that requires Active Directory. In order to >> provide SSO, the application gets a user certificate from AD and, as I >> understand, uses it towards a RHEL machine as a smart card. I installed >> AD's ca certificates on the RHEL client and it works when sssd.conf is >> all configured towards AD. >> >> I've joined the client to AD, as I said, but I do want my `id_provider` >> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. >> But when I do this, the authentication doesn't work. >> >> Is there a way to either force pam/sssd to check the certificates >> against AD while still getting groups and names from ldap, or to get >> FreeIPA to approve the certificates? >> >> I know this might be a very corner case, but if we make it works, this >> would be beautiful. >
Thanks Rob! > IMHO you should cross-post this to the SSSD users list as this seems > more their area, > https://lists.fedorahosted.org/archives/list/[email protected]/ I posted it there first, tbh, but got no reply. > I think expanding on your configuration would help too. Are you using > the IPA certificate mapping to map the AD-issued certificates to an IPA > user for authentication? No. The users are the same on both - same uid, gid, etc, but no connection, trust, or anything. The mapping on sssd.conf is this one: [certmap/mydomain.com/truesso] #Add this section and following lines to set match and map rule for certificate user matchrule = <EKU>msScLogin maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) domains = mydomain.com priority = 10 When id_provider = ad, it works, but not when it is `ldap`. But the users, in principle, are the same. Could it be those attributes that are wrong? > What is the current provider? Is ipa not sufficient/working? It’s ad for everything else, except for `id`, which is ldap. I should try `ipa`, but since I am using ldap configuration, I think it won’t make any difference. Best, Francis
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
