Thanks for the suggestion Rob! I posted to the sssd-users mailing list and
they responded. Turns out this is a known issue with an existing PR to fix it:
* https://github.com/SSSD/sssd/issues/5135
* https://github.com/SSSD/sssd/pull/1036
I will have to configure FreeIPA to match against full ce
If I manually escape the parentheses surrounding "affiliate" as seen below,
then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Author
I tried escaping the parentheses in the user certificate mapping data, but it
still fails. Did you mean to escape the parentheses inside the actual
certificate? Or something else?
I have also noticed that ipa certmap-match does not seem to care very much if I
run sss_cache -E. Is there anoth
Also, to be clear, I should mention that the certmap data is used in two
different ways:
1. We perform an ipa certmap-match command from our VPN server to confirm that
the client's certificate is valid
2. The certmap data is used by pkinit when the users kinit using their PIV
(smartcard) credent
Hi Flo,
Thanks for the quick response! I have been following your helpful
instructions, but we are still baffled. Frankly, I am starting to doubt my
sanity :)
I removed all certificate and certmap data from a contractor's user account,
then ran sss_cache -E to clear the cache. After that I
Hello,
I have users who kinit using their PIV (smartcard) certificates. Everything
works great for users who happen to be "full" employees, but contractors'
certificates never match.
"Full" employees have certificates issues by:
OU=DHS CA4,OU=Certification Authorities,OU=Department of Homeland