On 26.5.2014 10:18, Martin Kosek wrote:
On 05/26/2014 09:33 AM, Jan Cholasta wrote:
On 26.5.2014 07:49, Martin Kosek wrote:
...
  > 5) modifying
  > (in active)   ipa user-mod tuser ...

Ok.

  > (in stage)    ipa user-mod tuser --staged ...

Simo did not like this command, I would personally add it. As long as we
have "ipa user-add --staged", we should also have an option to delete
and modify user in staged area.

+1


  > (in del)      ipa user-mod tuser --deleted ...

Not needed.

Is this acceptable for everyone? If yes, the next step would be for
Thierry to update the design page with new proposals.

Martin

Are users in different containers using the same uid allowed?

Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe
left and is now in deleted accounts tree. Jane Doe joins the company now and
question is - do we want to allow Jane taking the same uid as John had? I am
thinking we should not allow that. Maybe we should allow override with --force
or having a global option.

Another related topic is - do we want to enforce staged user to always have UID
RDN? Isn't that limiting? When writing

http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Create_a_User_-_by_provisioning_system

I proposed that we should also be able to unstage a minimal record like this:

dn: cn=Test User,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
objectClass: top
objectClass: organizationalperson
cn: Test User
sn: User
nsAccountLock: True

If not, do we need the --staged/--deleted flags on anything but
user-add/user-find?

I see your point, but I think we should make admins to be very explicit when
manipulating users any area other than the active users area. As Simo noted,
these are not real users, just incomplete user records.

If they are not users, they should not be managed by the user plugin in the first place. (But I guess people are so used to abusing IPA's object model that they don't care. Oh well.)


Martin



--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to