On 05/26/2014 09:33 AM, Jan Cholasta wrote: > On 26.5.2014 07:49, Martin Kosek wrote: ... >> > 5) modifying >> > (in active) ipa user-mod tuser ... >> >> Ok. >> >> > (in stage) ipa user-mod tuser --staged ... >> >> Simo did not like this command, I would personally add it. As long as we >> have "ipa user-add --staged", we should also have an option to delete >> and modify user in staged area. > > +1 > >> >> > (in del) ipa user-mod tuser --deleted ... >> >> Not needed. >> >> Is this acceptable for everyone? If yes, the next step would be for >> Thierry to update the design page with new proposals. >> >> Martin > > Are users in different containers using the same uid allowed?
Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe left and is now in deleted accounts tree. Jane Doe joins the company now and question is - do we want to allow Jane taking the same uid as John had? I am thinking we should not allow that. Maybe we should allow override with --force or having a global option. Another related topic is - do we want to enforce staged user to always have UID RDN? Isn't that limiting? When writing http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Create_a_User_-_by_provisioning_system I proposed that we should also be able to unstage a minimal record like this: dn: cn=Test User,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com objectClass: top objectClass: organizationalperson cn: Test User sn: User nsAccountLock: True > If not, do we need the --staged/--deleted flags on anything but > user-add/user-find? I see your point, but I think we should make admins to be very explicit when manipulating users any area other than the active users area. As Simo noted, these are not real users, just incomplete user records. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel