SSS-CERTMAP(5) NAME sss-certmap - ' SSSD , SSSD X.509 ' . -- "", " ", " '" " ". '. "", . " " digitalSignature clientAuth. " '" , userCertificate DER. , . , "'" " " <<:>> . ASCII . , , <> <> '. <> <>, , , , '. , <<0>> () . , . , . , , . 32- . , 4294967295, . , ' , . , , . , , , . , '. , "pkinit_cert_match" Kerberos MIT. <<<>> <<>>>, , , , . - <<&&>> () <<||>> (). MIT Kerberos, <>. , <> " ", <<.*,DC=MY,DC=DOMAIN>> <.*,DC=MY,DC=DOMAIN>> . : - . POSIX. regex(7). , DER ASN.1, RFC 4514. , . , , RFC 4514 . : <>, <>, <>, <>, <>, <>, <>, <> <>. . , . : .*,DC=MY,DC=DOMAIN , , <<^.[$()|*+?{\>> , <<\>>, . : ^CN=.* $Admin$,DC=MY,DC=DOMAIN$ - . . : ^CN=My-CA,DC=MY,DC=DOMAIN$ - , . , , : o digitalSignature o nonRepudiation o keyEncipherment o dataEncipherment o keyAgreement o keyCertSign o cRLSign o encipherOnly o decipherOnly 32- . : digitalSignature,keyEncipherment -- , . , , : o serverAuth o clientAuth o codeSigning o emailProtection o timeStamping o OCSPSigning o KPClientAuth o pkinit o msScLogin , , OID - . : clientAuth,1.3.6.1.5.2.3.4 - Kerberos MIT Kerberos PKINIT AD NT Principal SAN , . : .*@MY\.REALM - Kerberos PKINIT AD NT Principal SAN. : .*@MY\.REALM - Kerberos AD NT Principal SAN. : .*@MY.AD.REALM - Kerberos SAN PKINIT. : .*@MY\.PKINIT\.REALM - SAN otherName, OID - , . : test base64-string base64 SAN otherName. otherName , . : MTIz - SAN rfc822Name. : .*@email\.domain - SAN dNSName. : .*\.my\.dns\.domain -base64 SAN x400Address. : MTIz - SAN directoryName. , . : .*,DC=com -base64 SAN ediPartyName. : MTIz - SAN uniformResourceIdentifier. : URN:.* - SAN iPAddress. : 192\.168\..* - SAN registeredID - . : 1\.2\.3\..* ' ' . , . SSSD LDAP ( , ). ' LDAP . , , ', . <<(>> <<)>>, . , ' LDAP. , <> AD <> IPA. , , LDAP. , LDAP , '. , , ' . " '" <>. . , : <>. , <>, . , " '" <>, . the section called " LDAPU1". Python. -, <<.>>, -, <>. : {issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , RFC 4514. X.500 ( RDN ), <<_x500>>. , <>, , AD, <>, <>. , <>, , NSS. <>, NSS LDAP/RFC 4514. : (ipacertmapdata=X509:{issuer_dn!ad}{subject_dn!ad}) {subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , RFC 4514. X.500 ( RDN ), <<_x500>>. , <>, , AD, <>, <>. , <>, , NSS. <>, NSS LDAP/RFC 4514. : (ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500}) {cert[!(bin|base64)]} DER . , <<\xx>>, base64. , , , LDAP <>. : (userCertificate;binary={cert!bin}) {subject_principal[.short_name]} Kerberos, SAN, pkinit, AD. <> <<@>>. : (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) {subject_pkinit_principal[.short_name]} Kerberos, SAN, pkinit. <> <<@>>. : (|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name})) {subject_nt_principal[.short_name]} Kerberos, SAN, AD. <> <<@>>. : (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name})) {subject_rfc822_name[.short_name]} , rfc822Name SAN, , . <> <<@>>. : (|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name})) {subject_dns_name[.short_name]} , dNSName SAN, , . <> <<.>>. : (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name})) {subject_uri} , uniformResourceIdentifier SAN. : (uri={subject_uri}) {subject_ip_address} , iPAddress SAN. : (ip={subject_ip_address}) {subject_x400_address} , x400Address SAN . : (attr:binary={subject_x400_address}) {subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} DN , directoryName SAN. : (orig_dn={subject_directory_name}) {subject_ediparty_name} , ediPartyName SAN . : (attr:binary={subject_ediparty_name}) {subject_registered_id} OID, registeredID SAN - . : (oid={subject_registered_id}) LDAPU1 LDAPU1 : {serial_number[!(dec|hex[_ucr])]} . , . <>, . (<>), , (<>), (<>). , , , <> . : LDAPU1:(serial={_}) {subject_key_id[!hex[_ucr]]} . , . (<>), , (<>), (<>). , , , <> . : LDAPU1:(ski={__}) {cert[!DIGEST[_ucr]]} . DIGEST , OpenSSL, <>. (<>), , (<>), (<>) , , , <> . : LDAPU1:(dgst={cert!sha256}) {subject_dn_component[(._|[]]} DN . . , , {subject_dn_component.uid}, , , {subject_dn_component.[2]}, , ' -- . . : {subject_dn_component.uid[2]}, <>. : LDAPU1:(uid={subject_dn_component.uid}) {issuer_dn_component[(._|[]]} DN . . . <>, . : LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component.dc[-1]}) {sid[.rid]} SID, Microsoft OID 1.3.6.1.4.1.311.25.2. <<.rid>>, , RID. : LDAPU1:(objectsid={sid}) , , ' , , , SSSD. , SSSD, . AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ SSSD 05/17/2024 SSS-CERTMAP(5)