On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <sbose(a)redhat.com> wrote:
I'm sorry, currently there are some copy-and-paste errors in the
examples of the sss-certmap man page. I'll try to fix them in one of
the next releases.
A related question, which I don't see answered in sss-certmap(5): if
sssd is performing smartcard authentication via krb5 PKINIT, how does
the krb5 pkinit_cert_match option interact with sssd's matching rules?
krb5 pkinit.so requires that the pkinit_cert_match options produce one
(and only one) matching certificate from the certificates available on
the smartcard. Does that mean that sssd only sees a single
certificate (the one selected by pkinit.so via pkinit_cert_match
options), so sss-certmap(5) matching rules are superfluous when using
PKINIT?
Or does sssd see all certificates on the smartcard, even when using
PKINIT, and thus sssd's sss-certmap(5) matching rules need to match
the same candidate certificate that krb5's pkinit_cert_match rules do?
If the latter is true, what happens if krb5's pkinit_cert_match
options select a different certificate than the certificate
sss-certmap(5) selects via its matching rules?
Also, what happens if a sss-certmap(5) matching rule matches more than
one certificate on the smartcard? For PKINIT, this is a fatal error.
Is it the same for sssd? Or if multiple certificates match, will sssd
apply the mapping rule against each certificate in turn, and prompt
the user which certificate/account combination they wish to login to?
Again, if I can clarify my own understanding of the documentation,
I'll attempt to give you a pull request with cleanups/clarifications…