On ti, 17 tammi 2017, Florence Blanc-Renaud wrote:
On 01/16/2017 03:52 PM, David Kupka wrote:
Hello everyone!

I've noticed that our API for stageuser is missing some commands that
user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
there is reason for it but after asking some fellows developers it seems
that there's none.

I understand the stageuser area as a place where user entry can be
created and amended during the hiring process in organization, example:

1. HR creates the entry with just basic informations (givenname,
surname, manager)
2. IT assigns basic account information (uid, gid)
3. based on to-be-employee manager's request IT adds additional group
membership (memberOf)
4. based on to-be-employee request IT adds login alias (krbPrincipalName)
5. Security Officer adds certificate from Smart Card assigned to the
6. HR adds extra information to the account (address, marital status, ...)
7. Facilities update work place related information (seat number, phone
number, ...)
8. At the first day IT activates the user account.

Considering this work flow I think it might be useful to have the same
API for stageuser as for the user.

Does the example work flow make sense?
Should we provide the same set of commands for user and stageuser?

Thanks for your ideas and opinions!
Hi David,

I would be in favor of providing the same API for stageuser and user.

It is already possible to add a certificate or a principal alias to a stageuser with ipa stageuser-mod --cert or ipa stageuser-mod --principal, meaning that those operations are not forbidden.

I also checked that a stageuser
- is not able to perform kinit with any of his principal aliases
- is not able to authenticate to the LDAP server with a DN/pwd
- is not able to authenticate to the LDAP server using his SSL cert
- is not able to login with user/pwd on a client console
so I do not see any security concern with your proposal.
Thank you, Flo. Let's then proceed with the David's proposal.

For the record, we discussed this proposal on a weekly development call
and I raised the questions about authentication above. Florence
volunteered to experiment with it to see if SSL certificate
authentication would be possible. It is not, so we can unify the API
behind both user and stageuser.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to