On Wed, 2011-11-02 at 20:25 -0400, Adam Young wrote: > On 11/02/2011 06:19 PM, Rob Crittenden wrote: > > Simo Sorce wrote: > >> On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote: > >>> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote: > >> [...] > >>> So, a user becomes an agent on the ca by having a certificate in the > >>> user record and being a member of the relevant admin, agent or auditor > >>> group. > >>> > >>> I see this as follows: > >>> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object > >>> class) > >>> 2. ipa user-cert (contact the ca and get a certificate for this user, > >>> add this cert to the user record in the ipa database) > >>> 3. ipa group-add-member (add the user to the relevant group) > >>> > >>> At no point does PKI need to modify anything in the IPA database. > >> > >> Sounds reasonable. > >> Can you post a link to the schema that would be added to IPA objects ? > >> > >> Simo. > >> > I think this is it: > > http://svn.fedorahosted.org/svn/pki/trunk/pki/base/ca/shared/conf/schema.ldif > > Look for cmsuser.
Unfortunately it looks like the cmsuser objectclass is of type structural, which means it cannot be added to existing records. > The cert seems to comes from > > 05rfc4523.ldif > > and is added in > > 06inetorgperson.ldif > > Which is already in our user record. > > CMS only seems to "require" usertype, which is a string, and "allows" > userstate which is an integer. I wonder if we can convince PKI to use a different schema to reprsent this information. We can use Roles or Groups to tell what type of user a user is, not sure about the state as that schema file has exactly the same comment for both usertype and userstate, seems a bug. > > IIRC the user we create in CS now has the description attribute set up > > in a very specific way. Is that still required? What is description used for ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel