I am looking at doing certifcate based authentication using 389. The company where I am working currently issues a certificate for every new starter and these certs are well managed with regards to sensible expiry dates etc. This cert is your key to the whole environment and a lot of the applications like jira/confluence authenticate you based on your certificate.
I have read through the documentation:
and it seems to suggest that it is nessesary to convert the user certificate and upload it into 389 db. This seems a bit of a duplication. Is there anyway to "talk" to the certificate provider to ascertain the validity or not of a certificate and obtain any other required information, rather than having a copy of the certificate in the database. The documentation also does not say whether this is the public or private part of the certificate that needs to be uploaded. I am assuming it is the public part.
The second part of the question is how would this work with regards to ssh authentication. Somehow via pam and ssh the certificate must be passed on to 389 when the authentication happens. I am not sure this is currently possible with pam but would be interested in any suggestions to achieve something like this.
Regards
Gerhardus Geldenhuis
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
