[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Rob Crittenden
rcritten at redhat.com
Wed Nov 2 22:19:03 UTC 2011
Simo Sorce wrote:
> On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
>> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> [...]
>> So, a user becomes an agent on the ca by having a certificate in the
>> user record and being a member of the relevant admin, agent or auditor
>> group.
>>
>> I see this as follows:
>> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
>> class)
>> 2. ipa user-cert (contact the ca and get a certificate for this user,
>> add this cert to the user record in the ipa database)
>> 3. ipa group-add-member (add the user to the relevant group)
>>
>> At no point does PKI need to modify anything in the IPA database.
>
> Sounds reasonable.
> Can you post a link to the schema that would be added to IPA objects ?
>
> Simo.
>
IIRC the user we create in CS now has the description attribute set up
in a very specific way. Is that still required?
rob
More information about the Freeipa-devel
mailing list