[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 14 17:00:27 UTC 2016
On Wed, 14 Sep 2016, Martin Basti wrote:
>
>
>On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>On Wed, 14 Sep 2016, Martin Basti wrote:
>>>
>>>
>>>On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>1)
>>>>>I still don't see the reason why AD trust is needed. Default
>>>>>trust ID view is added just by ipa-adtrust-install, adding
>>>>>trust is not needed for current implementation. You don't need
>>>>>AD for this, IDviews is generic feature not just for AD. Is
>>>>>that user configured on AD side?
>>>>You cannot add non-AD user to 'default trust view', so you will not be
>>>>able to set up certificates to ID override which does not exist.
>>>>
>>>>For non-'default trust view' you can add both IPA and AD users,
>>>>so using
>>>>some other view and then assign certificate for a ID override in that
>>>>one.
>>>>
>>>
>>>Ok then, but anyway I would like to see API/CLI tests for this
>>>feature with proper output validation.
>>>
>>>
>>>How can be this tested with SSSD?
>>You need to log into the system with a certificate...
>Is this possible from test? We are logged remotely as root, is there
>any cmdline util which allows us to test certificate against AD user?
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD
The only thing that differentiates AD user from IPA is the fact that
you'd need to trust a certificate authority that issued the certificate
for this user.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list