[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Simo Sorce
simo at redhat.com
Thu Nov 3 04:56:35 UTC 2011
On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote:
> On 11/02/2011 06:19 PM, Rob Crittenden wrote:
> > Simo Sorce wrote:
> >> On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
> >>> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> >> [...]
> >>> So, a user becomes an agent on the ca by having a certificate in the
> >>> user record and being a member of the relevant admin, agent or auditor
> >>> group.
> >>>
> >>> I see this as follows:
> >>> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
> >>> class)
> >>> 2. ipa user-cert (contact the ca and get a certificate for this user,
> >>> add this cert to the user record in the ipa database)
> >>> 3. ipa group-add-member (add the user to the relevant group)
> >>>
> >>> At no point does PKI need to modify anything in the IPA database.
> >>
> >> Sounds reasonable.
> >> Can you post a link to the schema that would be added to IPA objects ?
> >>
> >> Simo.
> >>
> I think this is it:
>
> http://svn.fedorahosted.org/svn/pki/trunk/pki/base/ca/shared/conf/schema.ldif
>
> Look for cmsuser.
Unfortunately it looks like the cmsuser objectclass is of type
structural, which means it cannot be added to existing records.
> The cert seems to comes from
>
> 05rfc4523.ldif
>
> and is added in
>
> 06inetorgperson.ldif
>
> Which is already in our user record.
>
> CMS only seems to "require" usertype, which is a string, and "allows"
> userstate which is an integer.
I wonder if we can convince PKI to use a different schema to reprsent
this information. We can use Roles or Groups to tell what type of user a
user is, not sure about the state as that schema file has exactly the
same comment for both usertype and userstate, seems a bug.
> > IIRC the user we create in CS now has the description attribute set up
> > in a very specific way. Is that still required?
What is description used for ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list