On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
[...]
> So, a user becomes an agent on the ca by having a certificate in the
> user record and being a member of the relevant admin, agent or auditor
> group.
> 
> I see this as follows:
> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
> class) 
> 2. ipa user-cert (contact the ca and get a certificate for this user,
> add this cert to the user record in the ipa database)
> 3. ipa group-add-member (add the user to the relevant group)
> 
> At no point does PKI need to modify anything in the IPA database.

Sounds reasonable.
Can you post a link to the schema that would be added to IPA objects ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to