[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users

Petr Vobornik pvoborni at redhat.com
Wed Feb 22 09:02:24 UTC 2017 

On 02/22/2017 12:43 AM, Fraser Tweedale wrote:
> On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
>> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
>>> Hi,
>>>
>>> related to the Certificate Identity Mapping feature, a new CLI will be
>>> needed to find all the users matching a given certificate.
>>>
>>> I propose to provide this as:
>>>
>>> ipa certmaptest --certificate <cert>
>>> ---------------
>>> 2 users matched
>>> ---------------
>>>   Matched user login: test1
>>>   Matched user login: test2
>>> ----------------------------
>>> Number of entries returned 2
>>> ----------------------------
>>>
>>>
>>> Please provide any comments, suggestions on the CLI or the output.
>>> Thanks,
>>> Flo.
>>>
>>
>> Thanks Flo for sharing it.
>>
>> I don't like the command name. It is not self explanatory. It says it is
>> testing something, it is not clear what and the actual result is users who
>> match the map configuration or have the cert in their user's entry.
>>
>> Better would be:
>>   $ ipa certmap-match --certificate
>>
> How about `ipa certmap-find-user ...'?  Doesn't get more obvious
> than that, IMO.

Was thinking about that as well but I think that the command might, in 
future, return also something else then user object, e.g. ID override.

>
>>
>> Pasting user story to give context if somebody is not familiar with it:
>> """
>> As a Security Officer, I want to present IdM Server with an Employee Smart
>> Card certificate and list all Employees with a matching role account, so
>> that I can validate the configuration is correct
>>
>> Note: In FreeIPA 4.4, user-find --certificate can already find users linked
>> with a certificate blob
>>
>> Acceptance criteria:
>> * I can perform the administrative task both via IdM Web UI and CLI
>> * When asking IdM for the information, I should always receive the same list
>> that would be matched in client authentication workflows (by SSSD)
>> * The list of users should include both users linked via standard
>> certificate blob and other generically mapped users
>> """
>> --
>> Petr Vobornik
>>
>> Associate Manager, Engineering, Identity Management
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


-- 
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

More information about the Freeipa-devel mailing list