[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
Petr Vobornik
pvoborni at redhat.com
Tue Feb 21 17:12:23 UTC 2017
On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> Hi,
>
> related to the Certificate Identity Mapping feature, a new CLI will be
> needed to find all the users matching a given certificate.
>
> I propose to provide this as:
>
> ipa certmaptest --certificate <cert>
> ---------------
> 2 users matched
> ---------------
> Matched user login: test1
> Matched user login: test2
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>
> Please provide any comments, suggestions on the CLI or the output.
> Thanks,
> Flo.
>
Thanks Flo for sharing it.
I don't like the command name. It is not self explanatory. It says it is
testing something, it is not clear what and the actual result is users
who match the map configuration or have the cert in their user's entry.
Better would be:
$ ipa certmap-match --certificate
Pasting user story to give context if somebody is not familiar with it:
"""
As a Security Officer, I want to present IdM Server with an Employee
Smart Card certificate and list all Employees with a matching role
account, so that I can validate the configuration is correct
Note: In FreeIPA 4.4, user-find --certificate can already find users
linked with a certificate blob
Acceptance criteria:
* I can perform the administrative task both via IdM Web UI and CLI
* When asking IdM for the information, I should always receive the same
list that would be matched in client authentication workflows (by SSSD)
* The list of users should include both users linked via standard
certificate blob and other generically mapped users
"""
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Red Hat, Inc.
More information about the Freeipa-devel
mailing list