From ad3c2c6f89d3d07c5e901706c796de41d160d3bb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Sep 2018 18:38:42 +0200
Subject: [PATCH 13/19] doc: add certificate mapping section to man page
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0c739e969a617bdb4c06cdfd63772bf6d283c518)
---
src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 881ffc6ab389fec2b85d675f43b951ca5fa0f2fc..04143f199685b7703abe1b5bb82b6c33230e6c72 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
</para>
</refsect1>
+ <refsect1 id='certmap'>
+ <title>CERTIFICATE MAPPING SECTION</title>
+ <para>
+ To allow authentication with Smartcards and certificates SSSD must
+ be able to map certificates to users. This can be done by adding the
+ full certificate to the LDAP object of the user or to a local
+ override. While using the full certificate is required to use the
+ Smartcard authentication feature of SSH (see
+ <citerefentry>
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ for details) it might be cumbersome or not even possible to do this
+ for the general case where local services use PAM for
+ authentication.
+ </para>
+ <para>
+ To make the mapping more flexible mapping and matching rules were
+ added to SSSD (see
+ <citerefentry>
+ <refentrytitle>sss-certmap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ for details).
+ </para>
+ <para>
+ A mapping and matching rule can be added to the SSSD configuration
+ in a section on its own with a name like
+ <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
+ In this section the following options are allowed:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>matchrule (string)</term>
+ <listitem>
+ <para>
+ Only certificates from the Smartcard which matches this
+ rule will be processed, all others are ignored.
+ </para>
+ <para>
+ Default: KRB5:<EKU>clientAuth, i.e. only
+ certificates which have the Extended Key Usage
+ <quote>clientAuth</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>maprule (string)</term>
+ <listitem>
+ <para>
+ Defines how the user is found for a given certificate.
+ </para>
+ <para>
+ Default:
+ <itemizedlist>
+ <listitem>
+ <para>LDAP:(userCertificate;binary={cert!bin})
+ for LDAP based providers like
+ <quote>ldap</quote>, <quote>AD</quote> or
+ <quote>ipa</quote>.</para>
+ </listitem>
+ <listitem>
+ <para>The RULE_NAME for the <quote>files</quote>
+ provider which tries to find a user with the
+ same name.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domains (string)</term>
+ <listitem>
+ <para>
+ Comma separated list of domain names the rule should be
+ applied. By default a rule is only valid in the domain
+ configured in sssd.conf. If the provider supports
+ subdomains this option can be used to add the rule to
+ subdomains as well.
+ </para>
+ <para>
+ Default: the configured domain in sssd.conf
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>priority (integer)</term>
+ <listitem>
+ <para>
+ Unsigned integer value defining the priority of the
+ rule. The higher the number the lower the priority.
+ <quote>0</quote> stands for the highest priority while
+ <quote>4294967295</quote> is the lowest.
+ </para>
+ <para>
+ Default: the lowest priority
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+ To make the configuration simple and reduce the amount of
+ configuration options the <quote>files</quote> provider has some
+ special properties:
+ <itemizedlist>
+ <listitem>
+ <para>
+ if maprule is not set the RULE_NAME name is assumed to
+ be the name of the matching user
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ if a maprule is used both a single user name or a
+ template like
+ <quote>{subject_rfc822_name.short_name}</quote> must
+ be in braces like e.g. <quote>(username)</quote> or
+ <quote>({subject_rfc822_name.short_name})</quote>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ the <quote>domains</quote> option is ignored
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </refsect1>
+
<refsect1 id='example'>
<title>EXAMPLES</title>
<para>
@@ -3341,6 +3470,26 @@ enumerate = False
<programlisting>
[domain/ipa.com/child.ad.com]
use_fully_qualified_names = false
+</programlisting>
+ </para>
+ <para>
+ 3. The following example shows the configuration for two certificate
+ mapping rules. The first is valid for the configured domain
+ <quote>my.domain</quote> and additionally for the subdomains
+ <quote>your.domain</quote> and uses the full certificate in the
+ search filter. The second example is valid for the domain
+ <quote>files</quote> where it is assumed the files provider is used
+ for this domain and contains a matching rule for the local user
+ <quote>myname</quote>.
+<programlisting>
+[certmap/my.domain/rule_name]
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
+maprule = (userCertificate;binary={cert!bin})
+domains = my.domain, your.domain
+priority = 10
+
+[certmap/files/myname]
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
</programlisting>
</para>
</refsect1>
--
2.14.4