I prepared a first draft of User Life-Cycle Management feature, which should
appear in later FreeIPA release.
There are still open questions, the main one from my perspective is if the
staged users should be stored in our main LDAP database/suffix or the alternate
one. Both have pros and cons, I tried to list them in the design page.
Keeping it in a separated suffix may allow less difficult maintenance of old
and new FreeIPA servers as old FreeIPA servers and plugins (like ipa-kdb) will
not see the staged users. But there are higher replication agreement and other
costs connected with this approach.
Comments, feedback is very welcome.
Freeipa-devel mailing list