On Tue, 2014-05-27 at 18:39 +0200, thierry bordaz wrote:
> On 05/27/2014 06:06 PM, Simo Sorce wrote:

> > We just need to care about the 'uid' attribute in the staged entry, and
> > pick that to generate the RDN of the user in the active tree. If there
> > are conflicts the 'unstage' will fail cleanly, as the 'add' operation
> > will just fail (due to non unique RDN) and the admin will have to take
> > care of the situation.
> In that case the provisioning system created a staging entry 
> ou=TestUser,$STAGING, it will get an active entry uid=xxx,$ACTIVE
> It could be an issue for the provisioning system to retrieve the entry 
> it created.

Too bad for the provisioning system, we are not going to allow users to
have a form that does not use uid in the RDN in IPA.

> > Sounds like a lot of complexity for a problem we do not really have, all
> > we need is to not enforce uniqueness in staging.
> This proposal was also to limit the operator privilege to do MODRDN from 
> 'pre-active' to 'active', instead  ADD on 'active'.

It is not useful, the operator still needs to be able to create in
pre-active ... so it can still create what it wants.


Freeipa-devel mailing list

Reply via email to