Hi, On Thu, Mar 13, 2025 at 4:04 PM N. V. via FreeIPA-users < [email protected]> wrote:
> Hi all, > > I’m reaching out to see if anyone has already implemented or is aware of > an existing solution for automatically assigning certificates issued via > Dogtag to FreeIPA user records. > > In our environment we occasionally issue certificates outside of the > standard IPA certificate request workflow. The challenge we’re facing is > mapping these externally issued certificates to the appropriate FreeIPA > user - for instance based on the subject DN - without having to rely on > manual intervention. > > Has anyone implemented an automated solution for this? Any pointers to > plugins, scripts, or documentation that could help this assignment process > would be greatly appreciated. > For which use case do you need to map the certificates to users? If you use the certificate for smart card authentication for instance, you can define certificate mapping rules. In the usual IPA workflow, when a certificate is issued through ipa-getcert, the certificate gets added to the user/service entry and smart card authentication maps the certificate and the user based on the presence of this certificate inside the user entry. But if you don't want to import the certificate in the user entry, you can also define certificate mapping rules and rely on the information already inside the user entry to map a certificate and a user entry. You can find more information in https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_smart_card_authentication/con-idm-certmapdata_managing-smart-card-authentication#con-idm-certmapdata_managing-smart-card-authentication Hope this helps, flo > Thanks in advance for your help and insights! > > Best regards, > Nelson > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
