On 05/25/2015 03:56 PM, Martin Kosek wrote:
On 05/25/2015 03:13 PM, Jan Cholasta wrote:

Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a):
Hello all, long post ahead!

I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238,
and while Martin's design page
(http://www.freeipa.org/page/V4/User_Certificates) brings a
comprehensive overview of what should be done, there are still some gray
areas we should address both in the design page and the actual

These are the things that were agreed upon in previous thread(s):

1.) If the whole user certificates are available, the should be stored
directly in the user entry as an attribute of the following format:


where "id" should be an unique identifier. IIRC we agreed that the
first/last 4 bytes of cert's SHA512 hash should fill the 'id' role
nicely. During user authentication the whole binary blob would be
matched (pspacek pointed out that the cost of this operation is

2.) In addition, or when the user certs are stored externally, we should
store the certificate metadata in the user entry. These metadata should
be represented by "userCertAttrs;$id;$attr" attributes, where $attr
subtype corresponds to the type of metadata (issuer, serial no., profile
id, certificate hash etc.). The authentication/lookup would require some
custom matching rule to fetch the correct cert.

Point 1. seems clear to me, we need to implement an index for
userCertificate attribute in DS and modify 'user-add/mod' commands to
allow for direct enrollment through API ("--usercertificate" option).

Point 2. requires more work: we need to add a new attribute
"userCertAttrs" to the schema and create DS index/custom matching rule
for searching. I'm also not quite sure how to approach the task of
getting these metadata from external storage and putting them to the
user entry.

Both points are obsolete. See the design page you linked for the current plan.

Huh, where that came from Martin? Did you have some cached old version of the
design page? I am just wondering what went wrong, as this is something I
deleted from that page month ago.

I probably got confused during re-reading threads on 'ipa-samba-team-list'.

So the only thing we require (for now) is the ability to search and store full user certificates in the user entry? Did I get it right?

Martin^3 Babinsky

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to