On 16.12.2016 09:34, Florence Blanc-Renaud wrote:
On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote:
Hi,
I have started a feature description for the Certificate Identity
Mapping at the following location:
http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
This is a first step, focusing on the interface we would like to
provide. It still contains open questions, some of which are linked to
the corresponding design on SSSD side:
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities
Comments, concerns and suggestions are welcome. Thanks!
Flo.
Hi,
the design page for Certificate Identity Mapping [1] has been updated
with a schema proposal and an example of configuration data.
Please share your comments, concerns, suggestions before January 7, so
that we can finalize the API and start the implementation.
Thanks,
Flo.
1) I'm not fan of host-mod --certmapping-prompt-username. IMO it would
be better to base this on group membership, which would allow automember
to be used.
A possible solution would be to introduce a CoS-based policy object,
similar to pwpolicy, but for hosts:
certmappolicy-mod [HOSTGROUP] --prompt-username=Boolean
certmappolicy-add HOSTGROUP --prompt-username=Boolean
certmappolicy-del HOSTGROUP
HOSTGROUP can be ommited in certmappolicy-mod, in which case the default
policy is modified. This would allow removing --prompt-username and
--enable-local-prompt-policy from certmappingconfig.
2) Nitpick: could we please rename certmapping* to certmap*? Not only
would it be quicker to type in the command line, but also named
consistently with selinuxusermap.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code