[Freeipa-devel] Supported Staged entries

[thierry bordaz]

Hello,

   Me again !!!

   Thanks to all your inputs, the discussion about User_life_cycle
   clarified a lot workflow/command verbs.

   Now I have a doubt about what would be an entry in staging
   (objectclass/attribute). Also I wonder if ipa CLI (ipa user-add
   --stage), would be the only support way to create stage entry.

   An active entry is looking like (with krb* attributes if the
   userpassword is defined):

       dn:
       uid=tb17,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
       displayName: tb15 tb15
       cn: tb15 tb15
       objectClass: top
       objectClass: person
       objectClass: organizationalperson
       objectClass: inetorgperson
       objectClass: inetuser
       objectClass: posixaccount
       objectClass: krbprincipalaux
       objectClass: krbticketpolicyaux
       objectClass: ipaobject
       objectClass: ipasshuser
       objectClass: ipaSshGroupOfPubKeys
       objectClass: mepOriginEntry
       loginShell: /bin/sh
       gecos: tb15 tb15
       sn: tb15
       homeDirectory: /home/tb17
       uid: tb17
       mail: t...@idm.lab.bos.redhat.com
       krbPrincipalName: t...@idm.lab.bos.redhat.com
       givenName: tb15
       initials: tt
       ipaUniqueID: 3f1b5cce-e1b8-11e3-86fe-001a4a104ecd
       uidNumber: 646400009
       gidNumber: 646400009
       mepManagedEntry:
       cn=tb17,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,
         dc=com
       memberOf:
       cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
         com
       nsAccountLock: False


   A staged entry created by 'ipa user-add --stage' may look like the
   following. This kind of entry is easy to activate 'ipa user-unstage'

       dn: uid=tb20,cn=staged
       users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
         dc=redhat,dc=com
       displayName: tb20 tb20
       cn: tb20 tb20
       objectClass: top
       objectClass: person
       objectClass: organizationalperson
       objectClass: inetorgperson
       objectClass: inetuser
       objectClass: posixaccount
       objectClass: krbprincipalaux
       objectClass: krbticketpolicyaux
       objectClass: ipaobject
       objectClass: ipasshuser
       objectClass: ipaSshGroupOfPubKeys
       loginShell: /bin/sh
       uidNumber: -1
       ipaUniqueID: autogenerate
       gidNumber: -1
       gecos: tb20 tb20
       sn: tb20
       homeDirectory: /home/tb20
       uid: tb20
       mail: t...@idm.lab.bos.redhat.com
       krbPrincipalName: t...@idm.lab.bos.redhat.com
       givenName: tb20
       initials: tt
       nsAccountLock: True

   Now are we going to support the following entries for 'ipa user-unstage'

       dn: cn=tb20,cn=staged
       users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
         dc=redhat,dc=com
       objectClass: top
       objectClass: person
       sn: tb20
       cn: tb20
       nsAccountLock: True

   or

       dn: uid=tb20,cn=staged
       users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
         dc=redhat,dc=com
       objectClass: top
       objectClass: person
       objectClass: posixAccount
       sn: tb20
       cn: tb20 tb20
       uid: tb20
       uidNumber: -1
       gidNumber: -1
       homeDirectory: /home/tb20
       nsAccountLock: True


   thanks
   thierry



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel