Certificate Mapping

Manage Certificate Identity Mapping configuration and rules.

IPA supports the use of certificates for authentication. Certificates can either be stored in the user entry (full certificate in the usercertificate attribute), or simply linked to the user entry through a mapping. This code enables the management of the rules allowing to link a certificate to a user entry.

EXAMPLES

Display the Certificate Identity Mapping global configuration:
ipa certmapconfig-show
Modify Certificate Identity Mapping global configuration:
ipa certmapconfig-mod --promptusername=TRUE
Create a new Certificate Identity Mapping Rule:
ipa certmaprule-add rule1 --desc="Link certificate with subject and issuer"
Modify a Certificate Identity Mapping Rule:
ipa certmaprule-mod rule1 --maprule="<ALT-SEC-ID-I-S:altSecurityIdentities>"
Disable a Certificate Identity Mapping Rule:
ipa certmaprule-disable rule1
Enable a Certificate Identity Mapping Rule:
ipa certmaprule-enable rule1
Display information about a Certificate Identity Mapping Rule:
ipa certmaprule-show rule1
Find all Certificate Identity Mapping Rules with the specified domain:
ipa certmaprule-find --domain example.com
Delete a Certificate Identity Mapping Rule:
ipa certmaprule-del rule1

Commands

Command Description

certmap-match Search for users matching the provided certificate.

certmapconfig-mod Modify Certificate Identity Mapping configuration.

certmapconfig-show Show the current Certificate Identity Mapping configuration.

certmaprule-add Create a new Certificate Identity Mapping Rule.

certmaprule-del Delete a Certificate Identity Mapping Rule.

certmaprule-disable Disable a Certificate Identity Mapping Rule.

certmaprule-enable Enable a Certificate Identity Mapping Rule.

certmaprule-find Search for Certificate Identity Mapping Rules.

certmaprule-mod Modify a Certificate Identity Mapping Rule.

certmaprule-show Display information about a Certificate Identity Mapping Rule.

certmap-match

Usage: ipa [global-options] certmap-match CERTIFICATE [options]

Search for users matching the provided certificate.

This command relies on SSSD to retrieve the list of matching users and
may return cached data. For more information on purging SSSD cache,
please refer to sss_cache documentation.

Arguments

Argument Required Description

CERTIFICATE yes Base-64 encoded user certificate

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

certmapconfig-mod

Usage: ipa [global-options] certmapconfig-mod [options]

Modify Certificate Identity Mapping configuration.

Options

Option Description

--promptusername PROMPTUSERNAME Prompt for the username when multiple identities are mapped to a certificate

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

certmapconfig-show

Usage: ipa [global-options] certmapconfig-show [options]

Show the current Certificate Identity Mapping configuration.

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

certmaprule-add

Usage: ipa [global-options] certmaprule-add RULENAME [options]

Create a new Certificate Identity Mapping Rule.

Arguments

Argument Required Description

RULENAME yes Certificate Identity Mapping Rule name

Options

Option Description

--desc DESC Certificate Identity Mapping Rule description

--maprule MAPRULE Rule used to map the certificate with a user entry

--matchrule MATCHRULE Rule used to check if a certificate can be used for authentication

--domain DOMAIN Domain where the user entry will be searched

--priority PRIORITY Priority of the rule (higher number means lower priority

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

Option Description

--rulename RULENAME Certificate Identity Mapping Rule name

--desc DESC Certificate Identity Mapping Rule description

--maprule MAPRULE Rule used to map the certificate with a user entry

--matchrule MATCHRULE Rule used to check if a certificate can be used for authentication

--domain DOMAIN Domain where the user entry will be searched

--priority PRIORITY Priority of the rule (higher number means lower priority

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--pkey-only` Results should contain primary key attribute only (“rulename”)

certmaprule-mod

Usage: ipa [global-options] certmaprule-mod RULENAME [options]

Modify a Certificate Identity Mapping Rule.