I have a use case with a local domain (files) that requires a one-to-many relationship between a Linux user account and alternate smartcard token user names, i.e., I have multiple users with individual smartcards that need to be able to authenticate to a single Linux user account.
Based on the sssd documentation and my observation, the sssd.conf file only matches the last matchrule supplied. This appears to force a one-to-one relationship between a Linux user account and a smartcard token user name.
Is there a way to create a matchrule (or rules) that will allow the use of multiple smartcards with a single Linux user account? Thanks.
On 1/8/20 4:49 PM, Roy Presley wrote:
I have a use case with a local domain (files) that requires a one-to-many relationship between a Linux user account and alternate smartcard token user names, i.e., I have multiple users with individual smartcards that need to be able to authenticate to a single Linux user account.
Based on the sssd documentation and my observation, the sssd.conf file only matches the last matchrule supplied. This appears to force a one-to-one relationship between a Linux user account and a smartcard token user name.
Is there a way to create a matchrule (or rules) that will allow the use of multiple smartcards with a single Linux user account? Thanks.
I wouldn't have thought that this was done at the matchrule level, but rather that the linux user account would have all of the relevant smartcard certificates associated with it.
On Wed, Jan 08, 2020 at 11:49:53PM -0000, Roy Presley wrote:
I have a use case with a local domain (files) that requires a one-to-many relationship between a Linux user account and alternate smartcard token user names, i.e., I have multiple users with individual smartcards that need to be able to authenticate to a single Linux user account.
Based on the sssd documentation and my observation, the sssd.conf file only matches the last matchrule supplied. This appears to force a one-to-one relationship between a Linux user account and a smartcard token user name.
Is there a way to create a matchrule (or rules) that will allow the use of multiple smartcards with a single Linux user account? Thanks.
Hi,
you can use the or operator '||' in a matchrule, e.g.
matchrule = ||<SUBJECT>^CN=user1,DC=domain$<SUBJECT>^CN=user2,DC=domain$
Does this help?
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Orion Poplawski -
Roy Presley -
Sumit Bose