On 11/02/2011 06:19 PM, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
[...]
So, a user becomes an agent on the ca by having a certificate in the
user record and being a member of the relevant admin, agent or auditor
group.
I see this as follows:
1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
class)
2. ipa user-cert (contact the ca and get a certificate for this user,
add this cert to the user record in the ipa database)
3. ipa group-add-member (add the user to the relevant group)
At no point does PKI need to modify anything in the IPA database.
Sounds reasonable.
Can you post a link to the schema that would be added to IPA objects ?
Simo.
I think this is it:
http://svn.fedorahosted.org/svn/pki/trunk/pki/base/ca/shared/conf/schema.ldif
Look for cmsuser.
The cert seems to comes from
05rfc4523.ldif
and is added in
06inetorgperson.ldif
Which is already in our user record.
CMS only seems to "require" usertype, which is a string, and "allows"
userstate which is an integer.
IIRC the user we create in CS now has the description attribute set up
in a very specific way. Is that still required?
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
