On Wed, Feb 26, 2020, at 4:38 AM, Hristina Marosevic wrote: > Hello, > > I am using SSSD with LDAP directory which provides public keys for each > user entry to SSSD. > I am not sure if it is possible to configure SSSD not just to accept > the private key (provided by the user during the login) and > authenticate the user from LDAP (where his public ke is stored), but > also to check the: > - trust (validation of the CA used for signing the user's certificate > i.e. public key) > - validity of a user certificate with its public key (its "from" - "to" > dates) > - revocation status (configuration of SSSD with CRL lists or OCSP)
SSSD manages all of these. What it does not manage for SSH is whether the certificate from LDAP actually matches the user, which allows users to grant SSH access "as himself" to anyone else in the organization. (If, as in the case of AD, users can modify their own userCertificate attribute. > or should I manage this on the LDAP side or on application level or > somewhere else? > I would be grateful if you share your ideas about the possible > solutions of this situation! > > V/r, James Cassell _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org