mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
e8a7e2e38a
We automatically add 'otp' and 'radius' authentication indicators when pre-authentication with OTP or RADIUS did succeed. Do the same for certauth-based pre-authentication (PKINIT). A default PKINIT configuration does not add any authentication indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf. Unfortunately, modifying kdc.conf automatically is a bit more complicated than modifying krb5.conf. Given that we have 'otp' and 'radius' authentication indicators also defined in the code not in the kdc.conf, this change is following an established trend. SSSD certauth interface does not provide additional information about which rule(s) succeeded in matching the incoming certificate. Thus, there is not much information we can automatically provide in the indicator. It would be good to generate indicators that include some information from the certmapping rules in future but for now a single 'pkinit' indicator is enough. Fixes https://pagure.io/freeipa/issue/6736 Reviewed-By: Simo Sorce <ssorce@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
ipa-kdb | ||
ipa-otpd | ||
ipa-sam | ||
ipa-slapi-plugins | ||
ipa-version.h.in | ||
Makefile.am |