objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'ipaPasskeyUser' DESC 'IPA passkey user' AUXILIARY MAY ipapasskey X-ORIGIN 'IPA v4.10')
```
### Indices
No need to add a new index for ipapasskey as the search performed by SSSD
will use a filter based on the user uid.
## Feature Management
### UI
- A new tab will be added below "Policy", at the same level as `Host-Based Access Control`, `Sudo`, `SELInux User Maps`, `Password Policies` and `Kerberos Ticket Policy`, with the label `Passkey Configuration`.
It will allow to configure the attribute `Require User Verification`, with a radio button: `on`, `off` or `default`.
- In the `User` facet, a new field will be added, below `SSH public keys`, with the label `Passkey mappings`, and will display the values, or allow to add a new value.
Note: since the Web browser may be running on a non-enrolled host without
the required packages, the WebUI will probably need specific javascript code
to register a key by inserting it on the machine where the browser is
running.
Investigations TBD regarding the possible solutions. The key registration
using the WebUI will not be part of the original implementation.
### CLI
| Command | Options | Description |
| --- | ----- | --- |
| **Passkey configuration** | | |
| passkeyconfig-show | | This command displays the Passkey settings |
| user-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| user-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the device, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| user-remove-passkey | LOGIN PASSKEY... | |
| user-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
| stageuser-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| stageuser-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the passkey, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| stageuser-remove-passkey | LOGIN PASSKEY... | |
| stageuser-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
### Configuration
The global settings can be read or modified using `ipa passkeyconfig-[show|mod]`.
## Upgrade
During upgrade, the new LDAP schema is automatically added and replicated to the replicas.
The upgrade must create the Passkey configuration entry if it does not already exist, with value='default' for the 'require user verification' setting (meaning it will use the default value from each key).
## Test plan
XMLRPC tests must validate the new CLI.
## Troubleshooting and debugging
SSSD provides 2 new commands that can be used for debugging:
*`/usr/sbin/sssctl passkey-exec --register`: documented and supported. This command can be run as root only.
*`/usr/libexec/sssd/passkey_child --register`: internally called by `sssctl passkey-exec --register`. This command does not require root access.