Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 12. Configuring certificate mapping for users whose AD user entry contains the whole certificate

This user story describes the steps necessary for enabling certificate mapping in IdM if the IdM deployment is in trust with Active Directory (AD), the user is stored in AD and the user entry in AD contains the whole certificate.

12.1. Prerequisites
Copia collegamento

  • The user does not have an account in IdM.
  • The user has an account in AD which contains a certificate.
  • The IdM administrator has access to data on which the IdM certificate mapping rule can be based.
Note

To ensure PKINIT works for a user, one of the following conditions must apply:

  • The certificate in the user entry includes the user principal name or the SID extension for the user.
  • The user entry in AD has a suitable entry in the altSecurityIdentities attribute.
  1. Log into the IdM web UI as an administrator.
  2. Navigate to Authentication Certificate Identity Mapping Rules Certificate Identity Mapping Rules.

  3. Click Add.

    Figure 12.1. Adding a new certificate mapping rule in the IdM web UI

    Screenshot of the IdM Web UI displaying the
    View larger image
    Screenshot of the IdM Web UI displaying the
  4. Enter the rule name.

  5. Enter the mapping rule. To have the whole certificate that is presented to IdM for authentication compared to what is available in AD: 

    (userCertificate;binary={cert!bin})
    Copy to Clipboard Toggle word wrap
    Note

    If mapping using the full certificate, if you renew the certificate, you must ensure that you add the new certificate to the AD user object.

  6. Enter the matching rule. For example, to only allow certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain to authenticate: 

    <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
    Copy to Clipboard Toggle word wrap

    Figure 12.2. Certificate mapping rule for a user with a certificate stored in AD

    Screenshot of the
    View larger image
    Screenshot of the
  7. Click Add.

  8. The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD in the CLI:: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

  1. Obtain the administrator’s credentials: 

    # kinit admin
    Copy to Clipboard Toggle word wrap

  2. Enter the mapping rule and the matching rule the mapping rule is based on. To have the whole certificate that is presented for authentication compared to what is available in AD, only allowing certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain to authenticate: 

    # ipa certmaprule-add simpleADrule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(userCertificate;binary={cert!bin})' --domain ad.example.com
-------------------------------------------------------
Added Certificate Identity Mapping Rule "simpleADrule"
-------------------------------------------------------
  Rule name: simpleADrule
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
  Domain name: ad.example.com
  Enabled: TRUE
    Copy to Clipboard Toggle word wrap
    Note

    If mapping using the full certificate, if you renew the certificate, you must ensure that you add the new certificate to the AD user object.

  3. The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat