I was looking over the IPA documentation today for 1.15.0 and was curious
if anyone has looked into enabling client certificate based authentication
into the UI?
It almost looks like using pam_pkcs11 might work, when combined with
mod_identity and requiring the client certificate. We already use
pam_pkcs11 on linux desktops with the smart cards, there is a cn_map file
that connects the certificate CN to a local username.