[Freeipa-devel] Certificate Identity Mapping
Jan Cholasta
jcholast at redhat.com
Mon Jan 2 08:16:00 UTC 2017
On 16.12.2016 09:34, Florence Blanc-Renaud wrote:
> On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> I have started a feature description for the Certificate Identity
>> Mapping at the following location:
>> http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
>>
>> This is a first step, focusing on the interface we would like to
>> provide. It still contains open questions, some of which are linked to
>> the corresponding design on SSSD side:
>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
>>
>>
>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities
>>
>>
>>
>> Comments, concerns and suggestions are welcome. Thanks!
>>
>> Flo.
>>
>
> Hi,
>
> the design page for Certificate Identity Mapping [1] has been updated
> with a schema proposal and an example of configuration data.
>
> Please share your comments, concerns, suggestions before January 7, so
> that we can finalize the API and start the implementation.
> Thanks,
> Flo.
1) I'm not fan of host-mod --certmapping-prompt-username. IMO it would
be better to base this on group membership, which would allow automember
to be used.
A possible solution would be to introduce a CoS-based policy object,
similar to pwpolicy, but for hosts:
certmappolicy-mod [HOSTGROUP] --prompt-username=Boolean
certmappolicy-add HOSTGROUP --prompt-username=Boolean
certmappolicy-del HOSTGROUP
HOSTGROUP can be ommited in certmappolicy-mod, in which case the default
policy is modified. This would allow removing --prompt-username and
--enable-local-prompt-policy from certmappingconfig.
2) Nitpick: could we please rename certmapping* to certmap*? Not only
would it be quicker to type in the command line, but also named
consistently with selinuxusermap.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list