On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <sbose(a)redhat.com> wrote:
unfortunately there are two different ways to encode Kerberos
principals, one is the AD way with OID 1.3.6.1.4.1.311.20.2.3 the other
is defined in RFC 4556 with 1.3.6.1.5.2.2.
To be most flexible the mapping and matching rules provide for the
AD encoding:
- <SAN:ntPrincipalName>.*@MY\.AD\.REALM
- userPrincipalName={subject_nt_principal}
for RFC 4556:
- <SAN:pkinit>.*@MY\.PKINIT\.REALM
- userPrincipalName={subject_pkinit_principal}
or if you do not know which encoding is used:
- <SAN:Principal>.*@MY\.REALM
- userPrincipalName={subject_principal}
which cover both encodings.
Thanks; that's exactly the information I was looking for.
I'm sorry, currently there are some copy-and-paste errors in the
examples of the sss-certmap man page. I'll try to fix them in one of
the next releases.
Yes, I noticed that. If I have a chance, I'll submit a merge request
to clean up the documentation.
A related question: our AD guys are giving me no end of grief that the
RHEL7 sssd can't perform the certificate-to-user mapping
automatically. Keeping everyone's userCertificate attribute updated
in AD is going to be a maintenance nightmare. So, I think I'm going
to have to at least make an attempt to backport that feature to
ssd-1.16.4 for RHEL7.
How feasible do you think this is? E.g.:
1. You should be able to drop that feature into 1.16.4 without too
much effort.
2. It will be non-trivial, but doable.
3. That feature depends on numerous other code paths that didn't
exist in 1.16.4; it will be extremely difficult to backport that
feature to 1.16.4.
Alternatively, I could attempt to rebuild sssd-2.0.0-43.el8_0.3 for
RHEL7. I tested that already, and the only thing I had to do to get
it to build was to comment out a few test packages that exist on RHEL8
but not on RHEL7.
But the problem with just building the RHEL8 sssd package for RHEL7 is
that I will have to track updates to RHEL8. And a point release
(e.g., RHEL 8.2) could bring a newer sssd that no longer builds on
RHEL7. So patching the certificate mapping feature into sssd 1.16.4
would be more future-proof.
(We have a support contract with Red Hat, but from past experience,
there is basically no chance Red Hat will undertake this backport for
a RHEL release that is already in maintenance support 1 phase.)
Thanks in advance for any advice.