[Freeipa-devel] Certificate Identity Mapping - new API to retrieve matching users

Fraser Tweedale ftweedal at redhat.com
Tue Feb 21 23:43:35 UTC 2017 

On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
> On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> > Hi,
> > 
> > related to the Certificate Identity Mapping feature, a new CLI will be
> > needed to find all the users matching a given certificate.
> > 
> > I propose to provide this as:
> > 
> > ipa certmaptest --certificate <cert>
> > ---------------
> > 2 users matched
> > ---------------
> >   Matched user login: test1
> >   Matched user login: test2
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> > 
> > 
> > Please provide any comments, suggestions on the CLI or the output.
> > Thanks,
> > Flo.
> > 
> 
> Thanks Flo for sharing it.
> 
> I don't like the command name. It is not self explanatory. It says it is
> testing something, it is not clear what and the actual result is users who
> match the map configuration or have the cert in their user's entry.
> 
> Better would be:
>   $ ipa certmap-match --certificate
> 
How about `ipa certmap-find-user ...'?  Doesn't get more obvious
than that, IMO.

> 
> Pasting user story to give context if somebody is not familiar with it:
> """
> As a Security Officer, I want to present IdM Server with an Employee Smart
> Card certificate and list all Employees with a matching role account, so
> that I can validate the configuration is correct
> 
> Note: In FreeIPA 4.4, user-find --certificate can already find users linked
> with a certificate blob
> 
> Acceptance criteria:
> * I can perform the administrative task both via IdM Web UI and CLI
> * When asking IdM for the information, I should always receive the same list
> that would be matched in client authentication workflows (by SSSD)
> * The list of users should include both users linked via standard
> certificate blob and other generically mapped users
> """
> -- 
> Petr Vobornik
> 
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

More information about the Freeipa-devel mailing list