I am sharing the question below with the list as I think the information is
useful and relevant for everyone interested in this feature. See answers in the
text.
On 05/20/2014 06:26 PM, thierry bordaz wrote:
Hello Martin, Petr,
I implemented 'user-add --to-stage' in a very simple way. Basically rather
than filling the 'accounts' container it fills the 'staged users' container.
It helped me to start digging into the code.
Now I am looking at details of this entry. Especially the attributes
present when the entry is in staging container. So far, the entry is
looking like:
ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w
Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb1
dn: uid=tb1,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,d
c=redhat,dc=com
displayName: tb1 tb1
cn: tb1 tb1
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
loginShell: /bin/sh
initials: tt
gecos: tb1 tb1
sn: tb1
homeDirectory: /home/tb1
uid: tb1
mail: t...@idm.lab.bos.redhat.com
krbPrincipalName: t...@idm.lab.bos.redhat.com
givenName: tb1
ipaUniqueID: 5556123c-e036-11e3-9915-001a4a104ecd
uidNumber: 646400005
gidNumber: 646400005
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
com
As you can see it contains extra objectclasses and some attributes are set
(like uidNumber or gidNumber).
According to the design that the entry should rather look like:
dn: uid=tb1,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,d
c=redhat,dc=com
displayName: tb1 tb1
cn: tb1 tb1
objectClass: top
objectClass: organizationalperson
objectClass:krbprincipalaux
objectClass: posixaccount
loginShell: autogenerated
sn: tb1
homeDirectory: /home/tb1
uid: tb1
krbPrincipalName: t...@idm.lab.bos.redhat.com
uidNumber: -1
gidNumber: -1
Is that correct ?
user-add sets the uidNumber and gidNumber to -1, meaning that these numbers
should be autogenerated by a plugin. If the plugin scope is updated according
to design to disregard staging users container, the number should stay -1 until
the entry is really moved to active users container.
The same applies for ipaUniqueId, just the generation triggering text is
"autogenerate".
Then when the entry get activated ('ipa user-activate tb1 --from-stage), we
should have the attribute being generated
uidNumber/gidNumber/ipaUniqueId... My understanding is that those
attributes should be generate by DS plugins when the entry is moved to
'accounts' container. So playing with plugin scope would help to have
staged users without all these attributes and 'accounts' users with them.
Right.
What is not clear to me is the chapter related to the 'placeholders'. My
understanding is that it should be a kind of template defining how to fill
attribute values. I am looking for some code/doc dealing with placeholders
but I do not know where to start from. Do you know any pointers on this.
I tried to write down the reasons for using placeholders in this section:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Placeholders
Placeholder allows provisioning systems to specify only some attributes of for
example posixAccount objectclass while not having to fill all the MUST attributes.
I think the example with filled "homeDirectory: /home/tuser" tells it all -
homeDirectory is filled, other attributes are left for FreeIPA to generate
based on it's settings.
As for UID and GID, you do not need to do anything - "-1" already means
autogenerate the values. Attributes not controlled by a plugin needs to be
controlled by the command that moves user from staging users to active users -
following list shows how should be the values generated:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Placeholder_Definition
HTH,
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
