[Freeipa-devel] User life cycle: plugins scope for staged users

Thu, 22 May 2014 07:34:41 -0700 

Hello,

   In order to provision staged users (account inactivated) with there
   initial values:

       /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
       -----------------
       Added user "tb20"
       -----------------
          User login: tb20
          First name: tb20
          Last name: tb20
          Full name: tb20 tb20
          Display name: tb20 tb20
          Initials: tt
          Home directory: /home/tb20
          GECOS: tb20 tb20
          Login shell: /bin/sh
          Kerberos principal: t...@idm.lab.bos.redhat.com
          Email address: t...@idm.lab.bos.redhat.com
          UID: -1
          GID: -1
          Account disabled: true
          Password: False
          Kerberos keys available: False

       ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w
       Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
       dn: uid=tb20,cn=staged
       users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
         dc=redhat,dc=com
       displayName: tb20 tb20
       cn: tb20 tb20
       objectClass: top
       objectClass: person
       objectClass: organizationalperson
       objectClass: inetorgperson
       objectClass: inetuser
       objectClass: posixaccount
       objectClass: krbprincipalaux
       objectClass: krbticketpolicyaux
       objectClass: ipaobject
       objectClass: ipasshuser
       objectClass: ipaSshGroupOfPubKeys
       loginShell: /bin/sh
       uidNumber: -1
       ipaUniqueID: autogenerate
       gidNumber: -1
       gecos: tb20 tb20
       sn: tb20
       homeDirectory: /home/tb20
       uid: tb20
       mail: t...@idm.lab.bos.redhat.com
       krbPrincipalName: t...@idm.lab.bos.redhat.com
       givenName: tb20
       initials: tt

   I needed to resctrict the scope of the following plugins:

       dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
       nsslapd-pluginarg1:
       cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

       dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
       ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

       dn: cn=Posix IDs,cn=Distributed Numeric Assignment
       Plugin,cn=plugins,cn=config
       dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

       dn: cn=MemberOf Plugin,cn=plugins,cn=config
       memberofentryscope:
       cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

   In fact I need them to not modify the added entry when it is added
   under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
   Now is it possible to limit those plugins scope to the 'cn=accounts'
   part of the tree ? I guess not.
   If it is not possible, a solution is to make the scope multi-valued
   attributes or to introduce a new config attribute '*notInScope' also
   multi-valued.
   A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
   'attribute uniqueness' plugin with a argv[ ], not really convenient
   to pass 2 multivalued attributes.

   If anyone is having others solutions it would help me a lot :-)

   thanks
   thierry






_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to