On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote:
> On 02/22/2017 12:43 AM, Fraser Tweedale wrote:
> > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote:
> > > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote:
> > > > Hi,
> > > > 
> > > > related to the Certificate Identity Mapping feature, a new CLI will be
> > > > needed to find all the users matching a given certificate.
> > > > 
> > > > I propose to provide this as:
> > > > 
> > > > ipa certmaptest --certificate <cert>
> > > > ---------------
> > > > 2 users matched
> > > > ---------------
> > > >   Matched user login: test1
> > > >   Matched user login: test2
> > > > ----------------------------
> > > > Number of entries returned 2
> > > > ----------------------------
> > > > 
> > > > 
> > > > Please provide any comments, suggestions on the CLI or the output.
> > > > Thanks,
> > > > Flo.
> > > > 
> > > 
> > > Thanks Flo for sharing it.
> > > 
> > > I don't like the command name. It is not self explanatory. It says it is
> > > testing something, it is not clear what and the actual result is users who
> > > match the map configuration or have the cert in their user's entry.
> > > 
> > > Better would be:
> > >   $ ipa certmap-match --certificate
> > > 
> > How about `ipa certmap-find-user ...'?  Doesn't get more obvious
> > than that, IMO.
> 
> Was thinking about that as well but I think that the command might, in
> future, return also something else then user object, e.g. ID override.

No, since the ID override is related to a user the user should be
returned not the override.

bye,
Sumit

> 
> > 
> > > 
> > > Pasting user story to give context if somebody is not familiar with it:
> > > """
> > > As a Security Officer, I want to present IdM Server with an Employee Smart
> > > Card certificate and list all Employees with a matching role account, so
> > > that I can validate the configuration is correct
> > > 
> > > Note: In FreeIPA 4.4, user-find --certificate can already find users 
> > > linked
> > > with a certificate blob
> > > 
> > > Acceptance criteria:
> > > * I can perform the administrative task both via IdM Web UI and CLI
> > > * When asking IdM for the information, I should always receive the same 
> > > list
> > > that would be matched in client authentication workflows (by SSSD)
> > > * The list of users should include both users linked via standard
> > > certificate blob and other generically mapped users
> > > """
> > > --
> > > Petr Vobornik
> > > 
> > > Associate Manager, Engineering, Identity Management
> > > Red Hat, Inc.
> > > 
> > > --
> > > Manage your subscription for the Freeipa-devel mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> 
> 
> -- 
> Petr Vobornik
> 
> Associate Manager, Engineering, Identity Management
> Red Hat, Inc.
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to