On Thu, Jan 31, 2019 at 03:20:04PM -0000, Jessie Floyd via FreeIPA-users wrote: > I've deployed a pre-production IPA environment which is similar to the > example domains above. I have a user signed smart-card which does not > share a CA with the IPA domain. I want to configure SSSD to fail > closed if the OCSP responder (identified on the card) is not > available. I see in the sssd.conf file where I can enable OCSP to an > alternate URL, but I don't find an option to set to OCSP as > 'required'. I've ran a network capture and see the OCSP responder > replying to my request when authenticating via SmartCard, I now want > to force authentication to require OCSP validation and not default > 'open' or 'success' when OCSP is unavailable. Is there a method of > setting either sssd.conf or an attribute in ipa to force this type of > configuration?
If the certificate includes the OCSP extension SSSD will use OCSP to validate the certificate, you can disable this by setting 'certificate_verification=no_ocsp'. Or do you want that only certificates which have the OCSP extension are allowed at all? bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
