On 02/22/2017 12:43 AM, Fraser Tweedale wrote:
On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
Hi,

related to the Certificate Identity Mapping feature, a new CLI will be
needed to find all the users matching a given certificate.

I propose to provide this as:

ipa certmaptest --certificate <cert>
---------------
2 users matched
---------------
  Matched user login: test1
  Matched user login: test2
----------------------------
Number of entries returned 2
----------------------------


Please provide any comments, suggestions on the CLI or the output.
Thanks,
Flo.


Thanks Flo for sharing it.

I don't like the command name. It is not self explanatory. It says it is
testing something, it is not clear what and the actual result is users who
match the map configuration or have the cert in their user's entry.

Better would be:
  $ ipa certmap-match --certificate

How about `ipa certmap-find-user ...'?  Doesn't get more obvious
than that, IMO.

Was thinking about that as well but I think that the command might, in future, return also something else then user object, e.g. ID override.



Pasting user story to give context if somebody is not familiar with it:
"""
As a Security Officer, I want to present IdM Server with an Employee Smart
Card certificate and list all Employees with a matching role account, so
that I can validate the configuration is correct

Note: In FreeIPA 4.4, user-find --certificate can already find users linked
with a certificate blob

Acceptance criteria:
* I can perform the administrative task both via IdM Web UI and CLI
* When asking IdM for the information, I should always receive the same list
that would be matched in client authentication workflows (by SSSD)
* The list of users should include both users linked via standard
certificate blob and other generically mapped users
"""
--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to