[Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)
Martin Kosek
mkosek at redhat.com
Fri May 29 08:38:41 UTC 2015
Hello all,
I would like to discuss the scope needed for ticket 4905 [1]. This is mostly
question for Sumit as he is working on the SSSD SC support. The main minimal
target is to allow SSSD get a ticket for a user once he authenticates with his
SC with certificates tracked in FreeIPA as agreed in [2].
Sumit, Simo or others, what changes are required in order to do this? In [1], I
so far identified:
* Support of Smart Cards in SSSD (upstream ticket)
* API/CLI for configuring the trusted CA certificate in KDC (related - #616)
as the base. What else is needed? Any krb5.conf changes on the server/clients?
Or even generating the certs/keys as mentioned in [3]?
In current code base, we still have the disabled pkinit plugin [4], but I
assume this is not what we want.
Thanks for help and advise. Based on what is found out in this thread, we will
see what's realistic for FreeIPA 4.2 or FreeIPA 4.2.x.
[1] https://fedorahosted.org/freeipa/ticket/4905
[2] http://www.freeipa.org/page/V4/User_Certificates
[3] https://fedorahosted.org/freeipa/ticket/55#comment:3
[4] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/pkinit.py
--
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
More information about the Freeipa-devel
mailing list