Hello,
Me again !!!
Thanks to all your inputs, the discussion about User_life_cycle
clarified a lot workflow/command verbs.
Now I have a doubt about what would be an entry in staging
(objectclass/attribute). Also I wonder if ipa CLI (ipa user-add
--stage), would be the only support way to create stage entry.
An active entry is looking like (with krb* attributes if the
userpassword is defined):
dn:
uid=tb17,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
displayName: tb15 tb15
cn: tb15 tb15
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
gecos: tb15 tb15
sn: tb15
homeDirectory: /home/tb17
uid: tb17
mail: t...@idm.lab.bos.redhat.com
krbPrincipalName: t...@idm.lab.bos.redhat.com
givenName: tb15
initials: tt
ipaUniqueID: 3f1b5cce-e1b8-11e3-86fe-001a4a104ecd
uidNumber: 646400009
gidNumber: 646400009
mepManagedEntry:
cn=tb17,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,
dc=com
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
com
nsAccountLock: False
A staged entry created by 'ipa user-add --stage' may look like the
following. This kind of entry is easy to activate 'ipa user-unstage'
dn: uid=tb20,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
displayName: tb20 tb20
cn: tb20 tb20
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
loginShell: /bin/sh
uidNumber: -1
ipaUniqueID: autogenerate
gidNumber: -1
gecos: tb20 tb20
sn: tb20
homeDirectory: /home/tb20
uid: tb20
mail: t...@idm.lab.bos.redhat.com
krbPrincipalName: t...@idm.lab.bos.redhat.com
givenName: tb20
initials: tt
nsAccountLock: True
Now are we going to support the following entries for 'ipa user-unstage'
dn: cn=tb20,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
objectClass: top
objectClass: person
sn: tb20
cn: tb20
nsAccountLock: True
or
dn: uid=tb20,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: posixAccount
sn: tb20
cn: tb20 tb20
uid: tb20
uidNumber: -1
gidNumber: -1
homeDirectory: /home/tb20
nsAccountLock: True
thanks
thierry