Menu Close
Settings Close

Language and Page Formatting Options

9.3.2. 在 IdM CLI 中添加证书映射规则

  1. 获取管理员凭证:

    # kinit admin
  2. 输入映射规则以及映射规则所基于的匹配规则。将提供的整个证书与 AD 中可用的证书进行比较,只允许 AD.EXAMPLE.COM 域的 AD-ROOT-CA 签发的证书进行身份验证:

    # ipa certmaprule-add simpleADrule --matchrule '<ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com' --maprule '(userCertificate;binary={cert!bin})' --domain ad.example.com
    -------------------------------------------------------
    Added Certificate Identity Mapping Rule "simpleADrule"
    -------------------------------------------------------
      Rule name: simpleADrule
      Mapping rule: (userCertificate;binary={cert!bin})
      Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
      Domain name: ad.example.com
      Enabled: TRUE
  3. 系统安全服务守护进程(SSSD)会定期重新读取证书映射规则。要强制立即载入新创建的规则,重启 SSSD:

    # systemctl restart sssd