[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
Sumit Bose
sbose at redhat.com
Wed Feb 22 10:28:53 UTC 2017
On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote:
> On 02/22/2017 12:43 AM, Fraser Tweedale wrote:
> > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
> > > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> > > > Hi,
> > > >
> > > > related to the Certificate Identity Mapping feature, a new CLI will be
> > > > needed to find all the users matching a given certificate.
> > > >
> > > > I propose to provide this as:
> > > >
> > > > ipa certmaptest --certificate <cert>
> > > > ---------------
> > > > 2 users matched
> > > > ---------------
> > > > Matched user login: test1
> > > > Matched user login: test2
> > > > ----------------------------
> > > > Number of entries returned 2
> > > > ----------------------------
> > > >
> > > >
> > > > Please provide any comments, suggestions on the CLI or the output.
> > > > Thanks,
> > > > Flo.
> > > >
> > >
> > > Thanks Flo for sharing it.
> > >
> > > I don't like the command name. It is not self explanatory. It says it is
> > > testing something, it is not clear what and the actual result is users who
> > > match the map configuration or have the cert in their user's entry.
> > >
> > > Better would be:
> > > $ ipa certmap-match --certificate
> > >
> > How about `ipa certmap-find-user ...'? Doesn't get more obvious
> > than that, IMO.
>
> Was thinking about that as well but I think that the command might, in
> future, return also something else then user object, e.g. ID override.
No, since the ID override is related to a user the user should be
returned not the override.
bye,
Sumit
>
> >
> > >
> > > Pasting user story to give context if somebody is not familiar with it:
> > > """
> > > As a Security Officer, I want to present IdM Server with an Employee Smart
> > > Card certificate and list all Employees with a matching role account, so
> > > that I can validate the configuration is correct
> > >
> > > Note: In FreeIPA 4.4, user-find --certificate can already find users linked
> > > with a certificate blob
> > >
> > > Acceptance criteria:
> > > * I can perform the administrative task both via IdM Web UI and CLI
> > > * When asking IdM for the information, I should always receive the same list
> > > that would be matched in client authentication workflows (by SSSD)
> > > * The list of users should include both users linked via standard
> > > certificate blob and other generically mapped users
> > > """
> > > --
> > > Petr Vobornik
> > >
> > > Associate Manager, Engineering, Identity Management
> > > Red Hat, Inc.
> > >
> > > --
> > > Manage your subscription for the Freeipa-devel mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
>
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
More information about the Freeipa-devel
mailing list