[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
Jan Cholasta
jcholast at redhat.com
Wed Feb 22 10:44:12 UTC 2017
On 22.2.2017 11:28, Sumit Bose wrote:
> On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote:
>> On 02/22/2017 12:43 AM, Fraser Tweedale wrote:
>>> On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
>>>> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
>>>>> Hi,
>>>>>
>>>>> related to the Certificate Identity Mapping feature, a new CLI will be
>>>>> needed to find all the users matching a given certificate.
>>>>>
>>>>> I propose to provide this as:
>>>>>
>>>>> ipa certmaptest --certificate <cert>
>>>>> ---------------
>>>>> 2 users matched
>>>>> ---------------
>>>>> Matched user login: test1
>>>>> Matched user login: test2
>>>>> ----------------------------
>>>>> Number of entries returned 2
>>>>> ----------------------------
>>>>>
>>>>>
>>>>> Please provide any comments, suggestions on the CLI or the output.
>>>>> Thanks,
>>>>> Flo.
>>>>>
>>>>
>>>> Thanks Flo for sharing it.
>>>>
>>>> I don't like the command name. It is not self explanatory. It says it is
>>>> testing something, it is not clear what and the actual result is users who
>>>> match the map configuration or have the cert in their user's entry.
>>>>
>>>> Better would be:
>>>> $ ipa certmap-match --certificate
>>>>
>>> How about `ipa certmap-find-user ...'? Doesn't get more obvious
>>> than that, IMO.
>>
>> Was thinking about that as well but I think that the command might, in
>> future, return also something else then user object, e.g. ID override.
>
> No, since the ID override is related to a user the user should be
> returned not the override.
"user" in IPA means IPA user, so there will be a difference between IPA
users and external users, which I think was Petr's point. I agree with
him that certmap-find-user is not the right name for the command,
because it suggests that it returns only IPA users.
>
> bye,
> Sumit
>
>>
>>>
>>>>
>>>> Pasting user story to give context if somebody is not familiar with it:
>>>> """
>>>> As a Security Officer, I want to present IdM Server with an Employee Smart
>>>> Card certificate and list all Employees with a matching role account, so
>>>> that I can validate the configuration is correct
>>>>
>>>> Note: In FreeIPA 4.4, user-find --certificate can already find users linked
>>>> with a certificate blob
>>>>
>>>> Acceptance criteria:
>>>> * I can perform the administrative task both via IdM Web UI and CLI
>>>> * When asking IdM for the information, I should always receive the same list
>>>> that would be matched in client authentication workflows (by SSSD)
>>>> * The list of users should include both users linked via standard
>>>> certificate blob and other generically mapped users
>>>> """
>>>> --
>>>> Petr Vobornik
>>>>
>>>> Associate Manager, Engineering, Identity Management
>>>> Red Hat, Inc.
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>>
>> --
>> Petr Vobornik
>>
>> Associate Manager, Engineering, Identity Management
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list