[Freeipa-devel] Yet another user certificates/Smart Card thread
Martin Kosek
mkosek at redhat.com
Mon May 25 14:26:59 UTC 2015
On 05/25/2015 04:19 PM, Martin Babinsky wrote:
> On 05/25/2015 03:56 PM, Martin Kosek wrote:
>> On 05/25/2015 03:13 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a):
>>>> Hello all, long post ahead!
>>>>
>>>> I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238,
>>>> and while Martin's design page
>>>> (http://www.freeipa.org/page/V4/User_Certificates) brings a
>>>> comprehensive overview of what should be done, there are still some gray
>>>> areas we should address both in the design page and the actual
>>>> implementation.
>>>>
>>>> These are the things that were agreed upon in previous thread(s):
>>>>
>>>> 1.) If the whole user certificates are available, the should be stored
>>>> directly in the user entry as an attribute of the following format:
>>>>
>>>> "userCertificate;binary;$id",
>>>>
>>>> where "id" should be an unique identifier. IIRC we agreed that the
>>>> first/last 4 bytes of cert's SHA512 hash should fill the 'id' role
>>>> nicely. During user authentication the whole binary blob would be
>>>> matched (pspacek pointed out that the cost of this operation is
>>>> acceptable).
>>>>
>>>> 2.) In addition, or when the user certs are stored externally, we should
>>>> store the certificate metadata in the user entry. These metadata should
>>>> be represented by "userCertAttrs;$id;$attr" attributes, where $attr
>>>> subtype corresponds to the type of metadata (issuer, serial no., profile
>>>> id, certificate hash etc.). The authentication/lookup would require some
>>>> custom matching rule to fetch the correct cert.
>>>>
>>>> Point 1. seems clear to me, we need to implement an index for
>>>> userCertificate attribute in DS and modify 'user-add/mod' commands to
>>>> allow for direct enrollment through API ("--usercertificate" option).
>>>>
>>>> Point 2. requires more work: we need to add a new attribute
>>>> "userCertAttrs" to the schema and create DS index/custom matching rule
>>>> for searching. I'm also not quite sure how to approach the task of
>>>> getting these metadata from external storage and putting them to the
>>>> user entry.
>>>
>>> Both points are obsolete. See the design page you linked for the current plan.
>>
>> Huh, where that came from Martin? Did you have some cached old version of the
>> design page? I am just wondering what went wrong, as this is something I
>> deleted from that page month ago.
>>
> I probably got confused during re-reading threads on 'ipa-samba-team-list'.
>
> So the only thing we require (for now) is the ability to search and store full
> user certificates in the user entry? Did I get it right?
If you read freeipa-devel more closely, you would see I already sent proposal
for this feature almost a month ago :-)
http://www.redhat.com/archives/freeipa-devel/2015-May/msg00001.html
HTH,
Martin
More information about the Freeipa-devel
mailing list