[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Martin Basti
mbasti at redhat.com
Thu Sep 15 08:32:19 UTC 2016
On 15.09.2016 10:10, Oleg Fayans wrote:
> Hi Martin,
>
> The file was renamed. Did I understand correctly that for now we are
> leaving the test as is and are planning to extend it later?
I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.
And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)
Martin^2
>
> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>
>>
>> On 14.09.2016 18:53, Sumit Bose wrote:
>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>
>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>
>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>> 1)
>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>> AD. Is that user configured on AD side?
>>>>>>> You cannot add non-AD user to 'default trust view', so you will
>>>>>>> not be
>>>>>>> able to set up certificates to ID override which does not exist.
>>>>>>>
>>>>>>> For non-'default trust view' you can add both IPA and AD users,
>>>>>>> so using
>>>>>>> some other view and then assign certificate for a ID override in
>>>>>>> that
>>>>>>> one.
>>>>>>>
>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>> feature with proper output validation.
>>>>>>
>>>>>>
>>>>>> How can be this tested with SSSD?
>>>>> You need to log into the system with a certificate...
>>>> Is this possible from test? We are logged remotely as root, is
>>>> there any
>>>> cmdline util which allows us to test certificate against AD user?
>>>
>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should
>>> return the ssh key derived from the public key in the certificate. This
>>> should work for certificate stored in AD as well as for overrides.
>>>
>>> You can also you the DBus lookup by certificate as described in
>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>> .
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>
>> Thank you Alexander and Summit for hints.
>>
>> Oleg I realized we don't have any other idviews integration tests
>>
>> So I propose to rename test file you are adding to test_idviews.py. We
>> can add more testcases for idviews there later
>>
>> Martin^2
>>>> Martin^2
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160915/58cef9c3/attachment.htm>
More information about the Freeipa-devel
mailing list