#4955 [RFE] Allow managing certificates for AD users in IPA
Closed: Fixed None Opened 3 years ago by dpal.

This is related to #4238. However #4238 talks about IPA users.
This ticket is for AD users coming via trusts.

1. IPA is in trust relations with AD
2. AD users have certs issued to them by a third party
3. AD users authenticate against IPA managed resources with certs on smart cards
4. Those systems are integrated with IPA using SSSD and mod_lookup_identity
5. SSSD will try to find cert for the AD user in IPA and will fail because it is an AD user.

Solution: add attribute that will hold the cert into the views too (like we did with SSH keys)so that cert authentication can be supported for AD users too.

What will this certificate be used for? A server-side copy of the public key is not necessary for SSL authentication.

Having a copy of the public key can be used as a sort of poor-man's revocation by requiring that the certificate provided matches the certificate in LDAP (or whatever lookup mechanism) but it is merely a presence validator.

The main use case is for mapping of the identity in the cert to the user.

Main problem:

Cards issued to users have a user identifier that has nothing to do with the user in directory. If they have - great but this is usually not the case. So some data in the cert or the whole cert need to be used to search directory to identify the proper user.

There are several ways how it can be done:
1. Subject name in cert maps to user
2. Subject name and issuer in cert map to user - this is what MSFT uses
3. Cert is matched directly as a binary blob
4. Digest or hash or public key is matched
5. Kerberos principal is matched

The SSL authentication happens locally but the client should check if there is a mapping of the cert to a real user. If the user is not found the authentication should fail.

This would need to be supported (at least a subset of mapping options) for the case the user is an IPA user. For AD use case it is similar but has to be done via views.

This is also needed for SSH integration.


  • 6adf863 idviews: Add user certificate attribute to user ID overrides


  • aa734da extdom: add certificate request

We have to bump version to SSSD 1.14.0 when SSSD is ready, due build dependency on library.

Please read for details: https://www.redhat.com/archives/freeipa-devel/2016-June/msg00737.html

Patch is on the list, we are just waiting for SSSD, reopening tickets to prevent relese without this patch.


  • a635135 Bump SSSD version in requires

Metadata Update from @dpal:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.4

2 years ago

Login to comment on this ticket.