On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed
to work
offline. Currently I have the following certmap config (this is on
RHEL8-beta):
[
certmap/ad.example.com/smartcard]
maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long as
I'm online (access to AD), but when I go offline (disconnect network) the
maprule is not working. I thought that the mapping would then use the sssd
cache but apparantly not - so how is smartcard login supposed to work
offline?
The cached data should be used in the offline case. Do your certificates
contain the OCSP extension? If this is present SSSD will use it by
default to validate the certificate which will fail if the system is
offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with
debug_level=9. The most important ones for the offline case would be
sssd_pam.log and p11_child.log.
bye,
Sumit
Regards
Adam
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...