On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote: > On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote: [...] > So, a user becomes an agent on the ca by having a certificate in the > user record and being a member of the relevant admin, agent or auditor > group. > > I see this as follows: > 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object > class) > 2. ipa user-cert (contact the ca and get a certificate for this user, > add this cert to the user record in the ipa database) > 3. ipa group-add-member (add the user to the relevant group) > > At no point does PKI need to modify anything in the IPA database.
Sounds reasonable. Can you post a link to the schema that would be added to IPA objects ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel