----- Original Message ----- > From: "Simo Sorce" <[email protected]> > To: "Ana Krivokapic" <[email protected]> > Cc: "Martin Kosek" <[email protected]>, "freeipa-devel" > <[email protected]> > Sent: Wednesday, October 30, 2013 7:11:20 PM > Subject: Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for > users and hosts > > On Wed, 2013-10-30 at 19:01 +0100, Ana Krivokapic wrote: > > On 10/29/2013 02:04 PM, Simo Sorce wrote: > > > On Tue, 2013-10-29 at 12:42 +0100, Martin Kosek wrote: > > >> On 10/29/2013 10:49 AM, Ana Krivokapic wrote: > > >>> Hello, > > >>> > > >>> Patch 0080 adds userClass attribute for users to IPA CLI. > > >>> Patch 0081 adds userClass attribute for users and hosts to the web UI. > > >>> > > >>> Design page: > > >>> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems > > >>> > > >>> Tickets: > > >>> https://fedorahosted.org/freeipa/ticket/3588 > > >>> https://fedorahosted.org/freeipa/ticket/3590 > > >> NACK to just extending posixAccount objectclass. This is a standard > > >> objectclass > > >> defined by RFC 2307 and we cannot just simply extend and overwrite it as > > >> we wish. > > > Uhh indeed this is a big No-no. > > > > > >> We will need to come up with some custom objectclass, like ipaUser. This > > >> is the > > >> reason why I wrote to ticket "A second goal of this ticket is to review > > >> current > > >> objectClass hierarchy of users and do changes if needed." so that we can > > >> pick > > >> the best option where to place it. > > > userClass is used in ipaHost, so I guess it could be instead add to an > > > ipa objectclass. ipaObject might be used perhaps, otherwise we'll need a > > > new ipaUser objectlass. > > > > > > Simo. > > > > > > > If there are no objections to using the ipaObject objectclass, the attached > > patches implement this approach. > > After some thinking ipaObject is more generic than just users, not sure > that attaching userClass there is appropriate. I think we really need > ipaUser at this point.
+1. I also do not think that ipaObject is the right OC to place the attribute, it is just too general. Let's go with the ipaUser objectClass, looking something like that: ( <OID> NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) We will need to add the OC when needed, we cannot just add it to default list. Ideally, we could also implement https://fedorahosted.org/freeipa/ticket/3922 in scope of this effort as this need to add additional OCs is piling up. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
