freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#4238 [RFE] Provide ability to map CAC identity certificates to users in IdM

Created 4 years ago by mkosek
Modified a year ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1072383

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Provide the ability to map identity certificates from smart-cards to user entries in FreeIPA to improve the centralized authentication
functionality of the product.

The idea is to utilize IdM as the centralized authentication repository for users through card + pin instead of username + password.

How would it work:

  • Configure a desktop to authenticate using smart cards with pam_pkcs11 or sssd Smart Card support (upstream ticket)
  • Point authentication to FreeIPA
  • Use cert+pin to identify the user and have the user get all the appropriate resources assigned to them via IdM such as sudoers, automount, etc...

Moving to FreeIPA 4.1 where we will re-evaluate this RFE.

Related ticket #4955.

master:

  • 7f7c247 Support multiple host and service certificates

master:

  • b6924c0 Fix: regression in host and service plugin
  • 62e9867 Fix certificate management with service-mod

master:

  • 93dab56 baseldap: add support for API commands managing only a single attribute
  • 53b11b6 reworked certificate normalization and revocation
  • 76eea85 new commands to manage user/host/service certificates

Web UI was mostly implemented in tickets #5046 and #5045. Web UI support for {user|service|host}_{add|remove}_cert commands, implemented in 76eea85, is still missing (#5108)

Nathan Kinder just started very promising blog series about Smart Cards and this feature:
https://blog-nkinder.rhcloud.com/?p=179

a year ago

Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2

Login to comment on this ticket.

enhancement

Certificate management

0

https://bugzilla.redhat.com/show_bug.cgi?id=1072383

http://www.freeipa.org/page/V4/User_Certificates

cancel