On 05/29/2014 08:17 AM, Martin Kosek wrote:
On 05/29/2014 04:09 AM, Dmitri Pal wrote:
On 05/22/2014 10:33 AM, thierry bordaz wrote:
Hello,

     In order to provision staged users (account inactivated) with
     there initial values:

         /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
         -----------------
         Added user "tb20"
         -----------------
           User login: tb20
           First name: tb20
           Last name: tb20
           Full name: tb20 tb20
           Display name: tb20 tb20
           Initials: tt
           Home directory: /home/tb20
           GECOS: tb20 tb20
           Login shell: /bin/sh
           Kerberos principal: t...@idm.lab.bos.redhat.com
           Email address: t...@idm.lab.bos.redhat.com
           UID: -1
           GID: -1
           Account disabled: true
           Password: False
           Kerberos keys available: False

         ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
         -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
         dn: uid=tb20,cn=staged
         users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
          dc=redhat,dc=com
         displayName: tb20 tb20
         cn: tb20 tb20
         objectClass: top
         objectClass: person
         objectClass: organizationalperson
         objectClass: inetorgperson
         objectClass: inetuser
         objectClass: posixaccount
         objectClass: krbprincipalaux
         objectClass: krbticketpolicyaux
         objectClass: ipaobject
         objectClass: ipasshuser
         objectClass: ipaSshGroupOfPubKeys
         loginShell: /bin/sh
         uidNumber: -1
         ipaUniqueID: autogenerate
         gidNumber: -1
         gecos: tb20 tb20
         sn: tb20
         homeDirectory: /home/tb20
         uid: tb20
         mail: t...@idm.lab.bos.redhat.com
         krbPrincipalName: t...@idm.lab.bos.redhat.com
         givenName: tb20
         initials: tt

     I needed to resctrict the scope of the following plugins:

         dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
         nsslapd-pluginarg1:
         cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

         dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
         ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

         dn: cn=Posix IDs,cn=Distributed Numeric Assignment
         Plugin,cn=plugins,cn=config
         dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

         dn: cn=MemberOf Plugin,cn=plugins,cn=config
         memberofentryscope:
         cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

     In fact I need them to not modify the added entry when it is added
     under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
     Now is it possible to limit those plugins scope to the
     'cn=accounts' part of the tree ? I guess not.
     If it is not possible, a solution is to make the scope
     multi-valued attributes or to introduce a new config attribute
     '*notInScope' also multi-valued.
     A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
     'attribute uniqueness' plugin with a argv[ ], not really
     convenient to pass 2 multivalued attributes.

     If anyone is having others solutions it would help me a lot :-)

     thanks
     thierry


The easiest solution IMO is to not treat staging area as an account area, i.e
instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
cn=staging, dc=...
Actually, this almost exactly the DN I wrote in the RFE:

http://www.freeipa.org/page/V4/User_Life-Cycle_Management#User_status

Proposed containers are:

cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
I believe we want to enforce that attribute like 'uid' and 'ipaUniqueID' are unique in both

cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX

and

cn=accounts,$SUFFIX


A solution is to make attribute uniqueness covering both parts. But is that enough ? For example is it required that attribute uniqueness run also on 'cn=alt,$SUFFIX' ?

An other solution is to exclude some parts. Like exlude 'cn=staged users,cn=account,cn=provisioning, $SUFFIX'.


This way if in future we will have some staging for other objects (for whatever
reason) we will create containers under common "staging" area.
I would also argue that "deleted" should not be under accounts.
Agreed. This will also make the plugin configuration (tree exclusion) easier.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to