On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <sb...@redhat.com> wrote: > unfortunately there are two different ways to encode Kerberos > principals, one is the AD way with OID 1.3.6.1.4.1.311.20.2.3 the other > is defined in RFC 4556 with 1.3.6.1.5.2.2. > > To be most flexible the mapping and matching rules provide for the > AD encoding: > > - <SAN:ntPrincipalName>.*@MY\.AD\.REALM > - userPrincipalName={subject_nt_principal} > > for RFC 4556: > > - <SAN:pkinit>.*@MY\.PKINIT\.REALM > - userPrincipalName={subject_pkinit_principal} > > or if you do not know which encoding is used: > > - <SAN:Principal>.*@MY\.REALM > - userPrincipalName={subject_principal} > > which cover both encodings.
Thanks; that's exactly the information I was looking for. > I'm sorry, currently there are some copy-and-paste errors in the > examples of the sss-certmap man page. I'll try to fix them in one of > the next releases. Yes, I noticed that. If I have a chance, I'll submit a merge request to clean up the documentation. A related question: our AD guys are giving me no end of grief that the RHEL7 sssd can't perform the certificate-to-user mapping automatically. Keeping everyone's userCertificate attribute updated in AD is going to be a maintenance nightmare. So, I think I'm going to have to at least make an attempt to backport that feature to ssd-1.16.4 for RHEL7. How feasible do you think this is? E.g.: 1. You should be able to drop that feature into 1.16.4 without too much effort. 2. It will be non-trivial, but doable. 3. That feature depends on numerous other code paths that didn't exist in 1.16.4; it will be extremely difficult to backport that feature to 1.16.4. Alternatively, I could attempt to rebuild sssd-2.0.0-43.el8_0.3 for RHEL7. I tested that already, and the only thing I had to do to get it to build was to comment out a few test packages that exist on RHEL8 but not on RHEL7. But the problem with just building the RHEL8 sssd package for RHEL7 is that I will have to track updates to RHEL8. And a point release (e.g., RHEL 8.2) could bring a newer sssd that no longer builds on RHEL7. So patching the certificate mapping feature into sssd 1.16.4 would be more future-proof. (We have a support contract with Red Hat, but from past experience, there is basically no chance Red Hat will undertake this backport for a RHEL release that is already in maintenance support 1 phase.) Thanks in advance for any advice. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org