On Mon, 2021-02-01 at 18:40 -0500, Stephen Frost wrote: > * Jacob Champion (pchamp...@vmware.com) wrote: > > My goal is to get this one single point of reference, for all of the > > auth backends. The LDAP mapping conversation is separate. > > Presumably this would be the DN for SSL then..? Not just the CN?
Correct. > How would the issuer DN be included? And the serial? In the current proposal, they're not. Seems like only the Subject should be considered when determining the "identity of the user" -- knowing the issuer or the certificate fingerprint might be useful in general, and perhaps they should be logged somewhere, but they're not part of the user's identity. If there were a feature that considered the issuer or serial number when making role mappings, I think it'd be easier to make a case for that. As of right now I don't think they should be incorporated into this *particular* identifier. --Jacob
