IdM Server: list all Employees with matching Smart Card #516
Conversation
|
Note: this PR is work in progress. It requires PR#398 Support for Certificate Identity Mapping and sssd patches not pushed yet. |
|
One thing I don't like is that SELinux policy requirements aren't mentioned. To allow ipaapi user to talk to SSSD dbus interface, you have to have a policy that allows this. |
|
Why do we need to talk to SSSD to do this? |
|
Hi @simo5 |
ipaserver/plugins/certmap.py
Outdated
| result['count'] = len(users) | ||
| result['uids'] = users | ||
| result['summary'] = u'{count} user{plural} matched'.format( | ||
| count=len(users), plural='' if len(users) == 1 else 's') |
There was a problem hiding this comment.
This is not translatable. Instead of filling in summary yourself, you should specify the msg_summary class attribute and have it filled automatically.
ipaserver/plugins/certmap.py
Outdated
| output.summary, | ||
| output.Output('uids', (list, tuple, type(None)), _('Matched uid')), | ||
| output.Output('count', int, _('Number of entries returned')), | ||
| ) |
There was a problem hiding this comment.
Please avoid using custom has_output, as it requires a client-side plugin. Define certmap_match as a search method of a virtual certmap object instead:
from ipalib.crud import Search
from ipalib.frontend import Object
@register()
class certmap(Object):
has_params = (
Str(
'uid',
...
flags={'no_search'},
),
Bytes(
'certificate',
...
),
)
@register()
class certmap_match(Search):
def get_args(self):
for arg in super(certmap_match, self).get_args():
if arg.name == 'criteria':
continue
yield arg
def execute(self, *args, **options):
...
result['result'] = [{'uid': user} for user in users]
result['count'] = len(users)
result['truncated'] = False
return resultAlso, I don't think the result should be called uid, as that's usually the username without the domain qualifier. You can either rename it or split it into uid and domain (you can do that with the object plugin).
There was a problem hiding this comment.
Actually, I think it would make sense to group the results by domain, in which case certmap should look like this:
@register()
class certmap(Object):
has_params = (
DNSNameParam(
'domain',
...
flags={'no_search'},
),
Bytes(
'certificate',
...
),
Str(
'uid*',
...
flags={'no_search'},
),
)
ipaserver/plugins/certmap.py
Outdated
|
|
||
| takes_options = ( | ||
| Bytes( | ||
| 'certificate', validate_certificate, |
There was a problem hiding this comment.
I guess this should be a positional argument, since it is the only argument and is required.
There was a problem hiding this comment.
@HonzaCholasta it would be good to catch these issues in threads like http://www.redhat.com/archives/freeipa-devel/2017-February/msg00878.html which are meant especially for it to avoid rewriting patches.
|
I am not sure we want to wait for replies from trusted domains, it may be very slow, and in some cases it will just not work right (one way trusts with strict access control on entries). |
|
Yes, a hint aka user name will be used during authentication. But this PR here is about to get an idea which user is allowed to authenticate based on the current certificate mapping configuration. Since the certificate mapping configuration requires remote domains to be added explicitly to admin can control which domains are included in the search. |
|
@abbra , @HonzaCholasta |
ipaserver/plugins/certmap.py
Outdated
|
|
||
| cert = args[0] | ||
| users = sssd.list_users_by_cert(cert) | ||
| count = sum([len(l) for (_k, l) in users.items()]) |
There was a problem hiding this comment.
count should be the number of entries in the result, i.e. len(result).
If you want to keep the "N users matched" summary intact, you can do it using a get_summary_default method:
def get_summary_default(self, output):
count = sum(len(entry['uid']) for entry in output['result'])
return self.msg_summary % dict(count=count)There was a problem hiding this comment.
I see you added get_summary_default, but it seems you forgot to update the count line to count = len(results).
ipaserver/plugins/certmap.py
Outdated
| ), | ||
| Str( | ||
| 'uid*', | ||
| label=_('Usernames'), |
There was a problem hiding this comment.
In the user plugin, uid is called "Login" - perhaps we should use the same (singular or plural) here as well?
|
@flo-renaud, please rebase. |
|
Hi @HonzaCholasta |
|
Hi @HonzaCholasta |
|
@flo-renaud, thanks, LGTM. BTW Travis fails because there is no |
|
@flo-renaud While playing with this command I've noticed one disturbing fact. Because we rely on SSSD and SSSD rely its cache we will likely return inaccurate result. |
|
Hi @dkupka |
|
@flo-renaud That's right but we should probably stress this somehow because it's not intuitive. Also we're returning what SSSD would return on master but we have no idea what it will return on some other host. |
|
I agree, it would be good if the help text can mention that cached data is used and maybe even mention the sss_cache utility to invalidate the entry. If the doc team can add this to the official documentation it would be even better. |
|
@sumit-bose I agree. If this is in help text we can also display it in WebUI. |
Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646
|
@dkupka |
|
@flo-renaud Thank you. |
|
master:
|
ghost
closed this
|
I forgot to say that in the CLI, the certificate should be specified using a file. PR #557 implements this. |
Implement a new IPA command allowing to retrieve the list of users matching the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server.
https://fedorahosted.org/freeipa/ticket/6646