On 05/25/2015 04:19 PM, Martin Babinsky wrote:
> On 05/25/2015 03:56 PM, Martin Kosek wrote:
>> On 05/25/2015 03:13 PM, Jan Cholasta wrote:
>>> Hi,
>>> Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a):
>>>> Hello all, long post ahead!
>>>> I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238,
>>>> and while Martin's design page
>>>> (http://www.freeipa.org/page/V4/User_Certificates) brings a
>>>> comprehensive overview of what should be done, there are still some gray
>>>> areas we should address both in the design page and the actual
>>>> implementation.
>>>> These are the things that were agreed upon in previous thread(s):
>>>> 1.) If the whole user certificates are available, the should be stored
>>>> directly in the user entry as an attribute of the following format:
>>>>       "userCertificate;binary;$id",
>>>> where "id" should be an unique identifier. IIRC we agreed that the
>>>> first/last 4 bytes of cert's SHA512 hash should fill the 'id' role
>>>> nicely. During user authentication the whole binary blob would be
>>>> matched (pspacek pointed out that the cost of this operation is
>>>> acceptable).
>>>> 2.) In addition, or when the user certs are stored externally, we should
>>>> store the certificate metadata in the user entry. These metadata should
>>>> be represented by "userCertAttrs;$id;$attr" attributes, where $attr
>>>> subtype corresponds to the type of metadata (issuer, serial no., profile
>>>> id, certificate hash etc.). The authentication/lookup would require some
>>>> custom matching rule to fetch the correct cert.
>>>> Point 1. seems clear to me, we need to implement an index for
>>>> userCertificate attribute in DS and modify 'user-add/mod' commands to
>>>> allow for direct enrollment through API ("--usercertificate" option).
>>>> Point 2. requires more work: we need to add a new attribute
>>>> "userCertAttrs" to the schema and create DS index/custom matching rule
>>>> for searching. I'm also not quite sure how to approach the task of
>>>> getting these metadata from external storage and putting them to the
>>>> user entry.
>>> Both points are obsolete. See the design page you linked for the current 
>>> plan.
>> Huh, where that came from Martin? Did you have some cached old version of the
>> design page? I am just wondering what went wrong, as this is something I
>> deleted from that page month ago.
> I probably got confused during re-reading threads on 'ipa-samba-team-list'.
> So the only thing we require (for now) is the ability to search and store full
> user certificates in the user entry? Did I get it right?

If you read freeipa-devel more closely, you would see I already sent proposal
for this feature almost a month ago :-)



Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to