SSS-CERTMAP(5) NAME sss-certmap - SSSD , SSSD X.509 . , "", " ", " " " ". . "", . " " digitalSignature clientAuth. " " , userCertificate DER. , . , "" " " , <<:>> . ASCII- . , : <> <> . 'sssctl' 'cert-eval-rule', , , , . . <<0>> . , . . , . 32- . , 4294967295, . , , . , , , , . , , (, ). , . , , "pkinit_cert_match" MIT Kerberos. , <<<>> <<>>>, , , . << -- >> <<&&>> () <<||>> (). MIT Kerberos, <>. <> " ", <<.*,DC=MY,DC=DOMAIN>> <.*,DC= MY,DC=DOMAIN>> . : _ . POSIX. regex(7). , DER, ASN.1 RFC 4514. , . , RFC 4514 . <>, <>, <>, <>, <>, <>, <>, <> <>. - . , . : .*,DC=MY,DC=DOMAIN , <<^.[$()|*+?{\>> , <<\>>, . : ^CN=.* $Admin$,DC=MY,DC=DOMAIN$ _ . , . : ^CN=My-CA,DC=MY,DC=DOMAIN$ _ , . : o digitalSignature o nonRepudiation o keyEncipherment o dataEncipherment o keyAgreement o keyCertSign o cRLSign o encipherOnly o decipherOnly 32- . : digitalSignature,keyEncipherment __ , . : o serverAuth o clientAuth o codeSigning o emailProtection o timeStamping o OCSPSigning o KPClientAuth o pkinit o msScLogin , , OID . : clientAuth,1.3.6.1.5.2.3.4 _ MIT Kerberos Kerberos SAN PKINIT SAN AD NT Principal , . : .*@MY\.REALM _ Kerberos SAN PKINIT SAN AD NT Principal. : .*@MY\.REALM _ Kerberos SAN AD NT Principal. : .*@MY.AD.REALM _ Kerberos SAN PKINIT. : .*@MY\.PKINIT\.REALM _ otherName SAN, OID , . : test _base64 blob- base64 otherName SAN. otherName , . : MTIz _ SAN rfc822Name. : .*@email\.domain _ SAN dNSName. : .*\.my\.dns\.domain _base64 SAN x400Address. : MTIz _ SAN directoryName. , . : .*,DC=com _base64 SAN ediPartyName. : MTIz _ SAN uniformResourceIdentifier. : URN:.* _ SAN iPAddress. : 192\.168\..* _ SAN registeredID . : 1\.2\.3\..* . - . SSSD LDAP ( -- , ). LDAP . , , , . , , <<(>> <<)>>. , LDAP. , <> AD <> IPA. (, ) LDAP. , LDAP , . , . " " <>, , . 'LDAP:(userCertificate;binary={cert!bin})'. <> . , " " <>, . the section called " LDAPU1". Python. , <<.>>, /, <>. : {issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , RFC 4514. X.500 ( RDN ) <<_x500>>. , <>, , AD (, <> <>). , <>, , NSS. <>, NSS LDAP/RFC 4514. : (ipacertmapdata=X509:{issuer_dn!ad}{subject_dn!ad}) {subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , RFC 4514. X.500 ( RDN ) <<_x500>>. , <>, , AD (, <> <>). , <>, , NSS. <>, NSS LDAP/RFC 4514. : (ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500}) {cert[!(bin|base64)]} DER . <<\xx>>, base64. . , , LDAP <>. : (userCertificate;binary={cert!bin}) {subject_principal[.short_name]} Kerberos, SAN, pkinit, SAN, AD. <> , <<@>>. : (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) {subject_pkinit_principal[.short_name]} Kerberos, SAN, pkinit. <> , <<@>>. : (|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name})) {subject_nt_principal[.short_name]} Kerberos, SAN, AD. <> , <<@>>. : (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name})) {subject_rfc822_name[.short_name]} , rfc822Name SAN ( ). <> , <<@>>. : (|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name})) {subject_dns_name[.short_name]} , dNSName SAN ( ) <> , <<.>>. : (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name})) {subject_uri} , uniformResourceIdentifier SAN. : (uri={subject_uri}) {subject_ip_address} , iPAddress SAN. : (ip={subject_ip_address}) {subject_x400_address} , x400Address SAN . : (attr:binary={subject_x400_address}) {subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , directoryName SAN. : (orig_dn={subject_directory_name}) {subject_ediparty_name} , ediPartyName SAN . : (attr:binary={subject_ediparty_name}) {subject_registered_id} OID, registeredID SAN . : (oid={subject_registered_id}) LDAPU1 <> : {serial_number[!(dec|hex[_ucr])]} . . <>, . (<>), , (<>), (<>). , , <> , , . : LDAPU1:(serial={_}) {subject_key_id[!hex[_ucr]]} . . (<>), , (<>), (<>). , , <> , , . : LDAPU1:(ski={subject_key_id}) {cert[!DIGEST[_ucr]]} . DIGEST , OpenSSL, . <>. (<>), , (<>), (<>). , , <> , , . : LDAPU1:(dgst={cert!sha256}) {subject_dn_component[(.attr_name|[number]]} DN , . , , {subject_dn_component.uid} , , {subject_dn_component.[2]}, , -- . , , {subject_dn_component.uid[2]} , <>. : LDAPU1:(uid={subject_dn_component.uid}) {issuer_dn_component[(.attr_name|[number]]} DN , . . <> . : LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component.dc[-1]}) {sid[.rid]} SID, , Microsoft OID 1.3.6.1.4.1.311.25.2. <<.rid>> , RID. : LDAPU1:(objectsid={sid}) , , , , , SSSD. , SSSD, . AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 05/17/2024 SSS-CERTMAP(5)