On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> So, a user becomes an agent on the ca by having a certificate in the
> user record and being a member of the relevant admin, agent or auditor
> group.
> I see this as follows:
> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
> class) 
> 2. ipa user-cert (contact the ca and get a certificate for this user,
> add this cert to the user record in the ipa database)
> 3. ipa group-add-member (add the user to the relevant group)
> At no point does PKI need to modify anything in the IPA database.

Sounds reasonable.
Can you post a link to the schema that would be added to IPA objects ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to