#4029 Documentation on the LDAP Public Key Class and SSH Public Key Attribute
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by jbister.

As a requirement for approving our implementation of SSSD with Smart Cards to Active Directory, we need to provide whitepaper to our Windows Identity Team about the public key class and attribute.

If there's any kind of documentation as to the technical specification of the class and attribute. Even if it doesn't exist could we get something drawn up?

Thanks


Hi,

can you give some more details what is needed here? 'public key class and attribute' sounds a bit like LDAP objectclasses and LDAP attributes, is this what they are asking for?

Do I understand correctly that you would like the access a Linux client running SSSD from a Windows client with SSH, e.g. putty, not using a password, GSSAPI or ssh-keys but a Smartcard must be inserted and your are prompted for a PIN?

Are you planning to use Smartcard authentication to the Linux desktop directly as well?

bye,
Sumit

Hi Sumit,

Yes all of that is correct. We are able to successfully achieve the above
task, but the Windows team wants documentation as to why they need to
extend their schema. I'll review the LDAP documentation and see if that
meets the requirements.

Thank you,
Josh

On Fri, Jun 21, 2019 at 1:12 AM Sumit Bose pagure@pagure.io wrote:

sbose added a new comment to an issue you are following:
``
Hi,

can you give some more details what is needed here? 'public key class and
attribute' sounds a bit like LDAP objectclasses and LDAP attributes, is
this what they are asking for?

Do I understand correctly that you would like the access a Linux client
running SSSD from a Windows client with SSH, e.g. putty, not using a
password, GSSAPI or ssh-keys but a Smartcard must be inserted and your are
prompted for a PIN?

Are you planning to use Smartcard authentication to the Linux desktop
directly as well?

bye,
Sumit

``

To reply, visit the link below or just reply to this email
https://pagure.io/SSSD/sssd/issue/4029

--

Joshua Bister

Consultant, NAPS

Red Hat https://www.redhat.com

San Diego, CA

jbister@redhat.com M: 619.894.6087
https://red.ht/sig

Hi,

what kind of schema extensions are you thinking of?

In general it is not needed to extend the schema. There is currently no dedicated attribute in the AD LDAP schema to store the ssh public key, but I've heard that people e.g. used altSecurityIdentities successfully to store the key.

You even do not have to store the ssh public key directly because SSSD can extract the public key from the certificate and present it to sshd in the expected format. Here you have to store the certificate in the userCertificate attribute, as the AD CS would do it if you create a certificate for a user.

HTH

bye,
Sumit

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4999

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata