On Wed, Feb 22, 2017 at 10:02:24AM +0100, Petr Vobornik wrote: > On 02/22/2017 12:43 AM, Fraser Tweedale wrote: > > On Tue, Feb 21, 2017 at 06:12:23PM +0100, Petr Vobornik wrote: > > > On 02/21/2017 05:15 PM, Florence Blanc-Renaud wrote: > > > > Hi, > > > > > > > > related to the Certificate Identity Mapping feature, a new CLI will be > > > > needed to find all the users matching a given certificate. > > > > > > > > I propose to provide this as: > > > > > > > > ipa certmaptest --certificate <cert> > > > > --------------- > > > > 2 users matched > > > > --------------- > > > > Matched user login: test1 > > > > Matched user login: test2 > > > > ---------------------------- > > > > Number of entries returned 2 > > > > ---------------------------- > > > > > > > > > > > > Please provide any comments, suggestions on the CLI or the output. > > > > Thanks, > > > > Flo. > > > > > > > > > > Thanks Flo for sharing it. > > > > > > I don't like the command name. It is not self explanatory. It says it is > > > testing something, it is not clear what and the actual result is users who > > > match the map configuration or have the cert in their user's entry. > > > > > > Better would be: > > > $ ipa certmap-match --certificate > > > > > How about `ipa certmap-find-user ...'? Doesn't get more obvious > > than that, IMO. > > Was thinking about that as well but I think that the command might, in > future, return also something else then user object, e.g. ID override.
No, since the ID override is related to a user the user should be returned not the override. bye, Sumit > > > > > > > > > Pasting user story to give context if somebody is not familiar with it: > > > """ > > > As a Security Officer, I want to present IdM Server with an Employee Smart > > > Card certificate and list all Employees with a matching role account, so > > > that I can validate the configuration is correct > > > > > > Note: In FreeIPA 4.4, user-find --certificate can already find users > > > linked > > > with a certificate blob > > > > > > Acceptance criteria: > > > * I can perform the administrative task both via IdM Web UI and CLI > > > * When asking IdM for the information, I should always receive the same > > > list > > > that would be matched in client authentication workflows (by SSSD) > > > * The list of users should include both users linked via standard > > > certificate blob and other generically mapped users > > > """ > > > -- > > > Petr Vobornik > > > > > > Associate Manager, Engineering, Identity Management > > > Red Hat, Inc. > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -- > Petr Vobornik > > Associate Manager, Engineering, Identity Management > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
