I'm having a hard time understanding how cert mapping is supposed to work offline. Currently I have the following certmap config (this is on RHEL8-beta):

[certmap/ad.example.com/smartcard]
maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))

to map the CN on the card to 'samAccountName' in AD. This works as long as I'm online (access to AD), but when I go offline (disconnect network) the maprule is not working. I thought that the mapping would then use the sssd cache but apparantly not - so how is smartcard login supposed to work offline?

Regards

Adam