On 05/29/2014 02:24 PM, Simo Sorce wrote:
On Thu, 2014-05-29 at 14:08 -0400, Dmitri Pal wrote:
On 05/29/2014 02:17 AM, Martin Kosek wrote:
On 05/29/2014 04:09 AM, Dmitri Pal wrote:
On 05/22/2014 10:33 AM, thierry bordaz wrote:

      In order to provision staged users (account inactivated) with
      there initial values:

          /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
          Added user "tb20"
            User login: tb20
            First name: tb20
            Last name: tb20
            Full name: tb20 tb20
            Display name: tb20 tb20
            Initials: tt
            Home directory: /home/tb20
            GECOS: tb20 tb20
            Login shell: /bin/sh
            Kerberos principal: t...@idm.lab.bos.redhat.com
            Email address: t...@idm.lab.bos.redhat.com
            UID: -1
            GID: -1
            Account disabled: true
            Password: False
            Kerberos keys available: False

          ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
          -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
          dn: uid=tb20,cn=staged
          displayName: tb20 tb20
          cn: tb20 tb20
          objectClass: top
          objectClass: person
          objectClass: organizationalperson
          objectClass: inetorgperson
          objectClass: inetuser
          objectClass: posixaccount
          objectClass: krbprincipalaux
          objectClass: krbticketpolicyaux
          objectClass: ipaobject
          objectClass: ipasshuser
          objectClass: ipaSshGroupOfPubKeys
          loginShell: /bin/sh
          uidNumber: -1
          ipaUniqueID: autogenerate
          gidNumber: -1
          gecos: tb20 tb20
          sn: tb20
          homeDirectory: /home/tb20
          uid: tb20
          mail: t...@idm.lab.bos.redhat.com
          krbPrincipalName: t...@idm.lab.bos.redhat.com
          givenName: tb20
          initials: tt

      I needed to resctrict the scope of the following plugins:

          dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config

          dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
          ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

          dn: cn=Posix IDs,cn=Distributed Numeric Assignment
          dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

          dn: cn=MemberOf Plugin,cn=plugins,cn=config

      In fact I need them to not modify the added entry when it is added
      under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
      Now is it possible to limit those plugins scope to the
      'cn=accounts' part of the tree ? I guess not.
      If it is not possible, a solution is to make the scope
      multi-valued attributes or to introduce a new config attribute
      '*notInScope' also multi-valued.
      A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
      'attribute uniqueness' plugin with a argv[ ], not really
      convenient to pass 2 multivalued attributes.

      If anyone is having others solutions it would help me a lot :-)


The easiest solution IMO is to not treat staging area as an account area, i.e
instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
cn=staging, dc=...
Actually, this almost exactly the DN I wrote in the RFE:


Proposed containers are:

cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX

This way if in future we will have some staging for other objects (for whatever
reason) we will create containers under common "staging" area.
I would also argue that "deleted" should not be under accounts.
Agreed. This will also make the plugin configuration (tree exclusion) easier.


I do not think so. My proposal is not to have staging under cn=accounts
because most of the plugins enforce uniqueness and other consistency
like DNA in the cn=account sub tree. Moving it out would move the
staging out of the scope of the plugins and plugin configuration would
not need to change.
Dmitri, I think you need to pay attention to the whole suffix :-)


Mia Culpa. Missed the cn=provisioning part.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Freeipa-devel mailing list

Reply via email to