freeipa/daemons
Alexander Bokovoy e8a7e2e38a ipa-kdb: add pkinit authentication indicator in case of a successful certauth
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).

A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.

SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.

Fixes https://pagure.io/freeipa/issue/6736

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-06-05 18:35:27 +02:00
..
dnssec Fix PKCS11 helper 2017-04-12 09:54:10 +02:00
ipa-kdb ipa-kdb: add pkinit authentication indicator in case of a successful certauth 2017-06-05 18:35:27 +02:00
ipa-otpd ipa-otpd.socket.in: Use a platform specific value for KDC service file 2017-04-12 16:17:51 +02:00
ipa-sam ipa-sam: create the gidNumber attribute in the trusted domain entry 2017-04-07 12:38:35 +02:00
ipa-slapi-plugins fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am Build: properly integrate ipa-version.h.in into build system 2016-11-29 15:28:24 +01:00