[Freeipa-devel] Unifying the PKI and IPA Directory Server instances

[Simo Sorce]

On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote:
> On 11/02/2011 06:19 PM, Rob Crittenden wrote:
> > Simo Sorce wrote:
> >> On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
> >>> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> >> [...]
> >>> So, a user becomes an agent on the ca by having a certificate in the
> >>> user record and being a member of the relevant admin, agent or auditor
> >>> group.
> >>>
> >>> I see this as follows:
> >>> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
> >>> class)
> >>> 2. ipa user-cert (contact the ca and get a certificate for this user,
> >>> add this cert to the user record in the ipa database)
> >>> 3. ipa group-add-member (add the user to the relevant group)
> >>>
> >>> At no point does PKI need to modify anything in the IPA database.
> >>
> >> Sounds reasonable.
> >> Can you post a link to the schema that would be added to IPA objects ?
> >>
> >> Simo.
> >>
> I think this is it:
> 
> http://svn.fedorahosted.org/svn/pki/trunk/pki/base/ca/shared/conf/schema.ldif
> 
> Look for cmsuser.

Unfortunately it looks like the cmsuser objectclass is of type
structural, which means it cannot be added to existing records.

> The cert seems to  comes from
> 
> 05rfc4523.ldif
> 
> and is added in
> 
> 06inetorgperson.ldif
> 
> Which is already in our user record.
> 
> CMS only seems to "require" usertype, which is a string, and "allows" 
> userstate  which is an integer.

I wonder if we can convince PKI to use a different schema to reprsent
this information. We can use Roles or Groups to tell what type of user a
user is, not sure about the state as that schema file has exactly the
same comment for both usertype and userstate, seems a bug.

> > IIRC the user we create in CS now has the description attribute set up 
> > in a very specific way. Is that still required?

What is description used for ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York