On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <sb...@redhat.com> wrote: > I'm sorry, currently there are some copy-and-paste errors in the > examples of the sss-certmap man page. I'll try to fix them in one of > the next releases.
A related question, which I don't see answered in sss-certmap(5): if sssd is performing smartcard authentication via krb5 PKINIT, how does the krb5 pkinit_cert_match option interact with sssd's matching rules? krb5 pkinit.so requires that the pkinit_cert_match options produce one (and only one) matching certificate from the certificates available on the smartcard. Does that mean that sssd only sees a single certificate (the one selected by pkinit.so via pkinit_cert_match options), so sss-certmap(5) matching rules are superfluous when using PKINIT? Or does sssd see all certificates on the smartcard, even when using PKINIT, and thus sssd's sss-certmap(5) matching rules need to match the same candidate certificate that krb5's pkinit_cert_match rules do? If the latter is true, what happens if krb5's pkinit_cert_match options select a different certificate than the certificate sss-certmap(5) selects via its matching rules? Also, what happens if a sss-certmap(5) matching rule matches more than one certificate on the smartcard? For PKINIT, this is a fatal error. Is it the same for sssd? Or if multiple certificates match, will sssd apply the mapping rule against each certificate in turn, and prompt the user which certificate/account combination they wish to login to? Again, if I can clarify my own understanding of the documentation, I'll attempt to give you a pull request with cleanups/clarifications… _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
