[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users
Fraser Tweedale
ftweedal at redhat.com
Tue Feb 21 23:43:35 UTC 2017
On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> > Hi,
> >
> > related to the Certificate Identity Mapping feature, a new CLI will be
> > needed to find all the users matching a given certificate.
> >
> > I propose to provide this as:
> >
> > ipa certmaptest --certificate <cert>
> > ---------------
> > 2 users matched
> > ---------------
> > Matched user login: test1
> > Matched user login: test2
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> >
> > Please provide any comments, suggestions on the CLI or the output.
> > Thanks,
> > Flo.
> >
>
> Thanks Flo for sharing it.
>
> I don't like the command name. It is not self explanatory. It says it is
> testing something, it is not clear what and the actual result is users who
> match the map configuration or have the cert in their user's entry.
>
> Better would be:
> $ ipa certmap-match --certificate
>
How about `ipa certmap-find-user ...'? Doesn't get more obvious
than that, IMO.
>
> Pasting user story to give context if somebody is not familiar with it:
> """
> As a Security Officer, I want to present IdM Server with an Employee Smart
> Card certificate and list all Employees with a matching role account, so
> that I can validate the configuration is correct
>
> Note: In FreeIPA 4.4, user-find --certificate can already find users linked
> with a certificate blob
>
> Acceptance criteria:
> * I can perform the administrative task both via IdM Web UI and CLI
> * When asking IdM for the information, I should always receive the same list
> that would be matched in client authentication workflows (by SSSD)
> * The list of users should include both users linked via standard
> certificate blob and other generically mapped users
> """
> --
> Petr Vobornik
>
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
More information about the Freeipa-devel
mailing list