On Tue, 2014-05-27 at 18:39 +0200, thierry bordaz wrote: > On 05/27/2014 06:06 PM, Simo Sorce wrote:
> > We just need to care about the 'uid' attribute in the staged entry, and > > pick that to generate the RDN of the user in the active tree. If there > > are conflicts the 'unstage' will fail cleanly, as the 'add' operation > > will just fail (due to non unique RDN) and the admin will have to take > > care of the situation. > In that case the provisioning system created a staging entry > ou=TestUser,$STAGING, it will get an active entry uid=xxx,$ACTIVE > It could be an issue for the provisioning system to retrieve the entry > it created. Too bad for the provisioning system, we are not going to allow users to have a form that does not use uid in the RDN in IPA. > > Sounds like a lot of complexity for a problem we do not really have, all > > we need is to not enforce uniqueness in staging. > > This proposal was also to limit the operator privilege to do MODRDN from > 'pre-active' to 'active', instead ADD on 'active'. It is not useful, the operator still needs to be able to create in pre-active ... so it can still create what it wants. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel