-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPA certauth plugin #575
IPA certauth plugin #575
Conversation
This patch depends on SSSD/sssd#192 (SSSD's certmap library) and krb5/krb5#610 (MIT Kerberos certauth plugin support) |
I updated the code to reflect the latest changes in the interface from krb5/krb5#610. |
The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see what CI says. Authentication indicators' handling would need to be added in a separate PR once certmap rules would provide the indicator value. |
Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905
This patch add a certauth plugin which allows the IPA server to support PKINIT for certificates which do not include a special SAN extension which contains a Kerberos principal but allow other mappings with the help of SSSD's certmap library. Related to https://pagure.io/freeipa/issue/4905
486a473
to
4518c60
Compare
I've tested the patches and it worked as expected. Once CI successfully finishes I'll ACK it. |
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension which
contains a Kerberos principal but allow other mappings with the help of
SSSD's certmap library.
Related to https://pagure.io/freeipa/issue/4905