On 16.12.2016 09:34, Florence Blanc-Renaud wrote:
On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote:

I have started a feature description for the Certificate Identity
Mapping at the following location:

This is a first step, focusing on the interface we would like to
provide. It still contains open questions, some of which are linked to
the corresponding design on SSSD side:


Comments, concerns and suggestions are welcome. Thanks!



the design page for Certificate Identity Mapping [1] has been updated
with a schema proposal and an example of configuration data.

Please share your comments, concerns, suggestions before January 7, so
that we can finalize the API and start the implementation.

1) I'm not fan of host-mod --certmapping-prompt-username. IMO it would be better to base this on group membership, which would allow automember to be used.

A possible solution would be to introduce a CoS-based policy object, similar to pwpolicy, but for hosts:

    certmappolicy-mod [HOSTGROUP] --prompt-username=Boolean
    certmappolicy-add HOSTGROUP --prompt-username=Boolean
    certmappolicy-del HOSTGROUP

HOSTGROUP can be ommited in certmappolicy-mod, in which case the default policy is modified. This would allow removing --prompt-username and --enable-local-prompt-policy from certmappingconfig.

2) Nitpick: could we please rename certmapping* to certmap*? Not only would it be quicker to type in the command line, but also named consistently with selinuxusermap.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to