The IPA webui should be able to login with user generated certs without having to run the scripts to enable smartcard logins. This should work by default
[lookup_identity:error] [pid 854:tid 140063245596416] [client x.x.x.x:56358] lookup_user_by_certificate failed [dbus_connection_send_with_reply_and_block(org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate)]: [Permission denied]
the apache user is denied by sssd, the authentication cannot continue
If the login prompt offers to login with a cert then it should work. I would think the two options would be to just configure cert logins by default, or hide that prompt unless the system is configured for it.
In sssd the apache user should be enabled by default if the login prompts for "Login with Certificate" are present in the webui. The ipa-advise scripts for smartcard login set this value, but they aren't run by default. /etc/sssd/sssd.conf ... [ifps] allowed_uids = ipaapi, root, apache ....
additionally you must run ipa service-mod --ok-to-auth-as-delegate=True HTTP/$(hostname)
and then restart both services systemctl restart sssd httpd
and presto, it works with the built-in certs
freeipa-server-4.7.2-1.1.fc29.x86_64 freeipa-client-4.7.2-1.1.fc29.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.21-1.fc29.x86_64 pki-ca-10.6.9-1.fc29.noarch krb5-server-1.16.1-25.fc29.x86_64
There are multiple ways how smart card configuration could be customized. This is one of reasons it is not enabled by default and you need to run a script generated by ipa-advise. Specifically, one needs to set up CAs required for accepting smart card certificates as those aren't always the ones issued by IPA CA.
For this and other reasons it is enabled through a separate step. It is not going to be changed and is already documented that an advise script needs to be created. This, closing this ticket as won't fix
Metadata Update from @abbra: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Issue status updated to: Open (was: Closed)
Metadata Update from @abbra: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-web-ui-auth
Login to comment on this ticket.