Início
Produtos
Red Hat Enterprise Linux
10
Managing certificates in IdM
Chapter 12. Configuring certificate mapping for users whose AD user entry contains the whole certificate

Este conteúdo não está disponível no idioma selecionado.

Chapter 12. Configuring certificate mapping for users whose AD user entry contains the whole certificate

This user story describes the steps necessary for enabling certificate mapping in IdM if the IdM deployment is in trust with Active Directory (AD), the user is stored in AD and the user entry in AD contains the whole certificate.

12.1. Prerequisites
Copiar o link

The user does not have an account in IdM.
The user has an account in AD which contains a certificate.
The IdM administrator has access to data on which the IdM certificate mapping rule can be based.

Note

To ensure PKINIT works for a user, one of the following conditions must apply:

The certificate in the user entry includes the user principal name or the SID extension for the user.
The user entry in AD has a suitable entry in the altSecurityIdentities attribute.

12.2. Adding a certificate mapping rule in the IdM web UI for users whose AD entry contains the whole certificate
Copiar o link

Log into the IdM web UI as an administrator.
Navigate to Authentication Certificate Identity Mapping Rules Certificate Identity Mapping Rules.
Click Add.
Figure 12.1. Adding a new certificate mapping rule in the IdM web UI

View larger image
Enter the rule name.
Enter the mapping rule. To have the whole certificate that is presented to IdM for authentication compared to what is available in AD:
```
(userCertificate;binary={cert!bin})
```
```
(userCertificate;binary={cert!bin})
```
Copy to Clipboard Toggle word wrap
Note
If mapping using the full certificate, if you renew the certificate, you must ensure that you add the new certificate to the AD user object.
Enter the matching rule. For example, to only allow certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain to authenticate:
```
<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
```
```
<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
```
Copy to Clipboard Toggle word wrap
Figure 12.2. Certificate mapping rule for a user with a certificate stored in AD

View larger image
Click Add.
The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD in the CLI::
```
systemctl restart sssd
```
```
# systemctl restart sssd
```
Copy to Clipboard Toggle word wrap

12.3. Adding a certificate mapping rule in the IdM CLI for users whose AD entry contains the whole certificate
Copiar o link

Obtain the administrator’s credentials:
```
kinit admin
```
```
# kinit admin
```
Copy to Clipboard Toggle word wrap

Enter the mapping rule and the matching rule the mapping rule is based on. To have the whole certificate that is presented for authentication compared to what is available in AD, only allowing certificates issued by the AD-ROOT-CA of the AD.EXAMPLE.COM domain to authenticate:

ipa certmaprule-add simpleADrule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(userCertificate;binary={cert!bin})' --domain ad.example.com

# ipa certmaprule-add simpleADrule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(userCertificate;binary={cert!bin})' --domain ad.example.com
-------------------------------------------------------
Added Certificate Identity Mapping Rule "simpleADrule"
-------------------------------------------------------
  Rule name: simpleADrule
  Mapping rule: (userCertificate;binary={cert!bin})
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
  Domain name: ad.example.com
  Enabled: TRUE

Copy to Clipboard

Toggle word wrap

Note

If mapping using the full certificate, if you renew the certificate, you must ensure that you add the new certificate to the AD user object.

The System Security Services Daemon (SSSD) periodically re-reads the certificate mapping rules. To force the newly-created rule to be loaded immediately, restart SSSD:
```
systemctl restart sssd
```
```
# systemctl restart sssd
```
Copy to Clipboard Toggle word wrap

Voltar ao topo

Este conteúdo não está disponível no idioma selecionado.

Chapter 12. Configuring certificate mapping for users whose AD user entry contains the whole certificate

12.1. Prerequisites
Copiar o link

12.2. Adding a certificate mapping rule in the IdM web UI for users whose AD entry contains the whole certificate
Copiar o link

12.3. Adding a certificate mapping rule in the IdM CLI for users whose AD entry contains the whole certificate
Copiar o link

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Este conteúdo não está disponível no idioma selecionado.

Chapter 12. Configuring certificate mapping for users whose AD user entry contains the whole certificate

12.1. PrerequisitesCopiar o linkLink copiado para a área de transferência!

12.2. Adding a certificate mapping rule in the IdM web UI for users whose AD entry contains the whole certificateCopiar o linkLink copiado para a área de transferência!

12.3. Adding a certificate mapping rule in the IdM CLI for users whose AD entry contains the whole certificateCopiar o linkLink copiado para a área de transferência!

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

12.1. Prerequisites
Copiar o link

12.2. Adding a certificate mapping rule in the IdM web UI for users whose AD entry contains the whole certificate
Copiar o link

12.3. Adding a certificate mapping rule in the IdM CLI for users whose AD entry contains the whole certificate
Copiar o link