On 06/24/2014 06:31 PM, thierry bordaz wrote: > Hello, > > User life cycle "assigns" a status to user entries depending where > they are in the DIT. > 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and > 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'. > > Only 'Active' users have valid membership attributes: A Stage/Delete > user does not belong to any 'Active' group. > membership is managed by DS plugins, and particularly RI and memberof. > To automatically update membership attributes RI and memberof > implement a scoping, that update/add/remove membership attributes if > the group/user are Active. > > The scoping is a single valued attribute. > > It create failures in IPA tests if I restrict RI/memberof to > 'cn=accounts,SUFFIX'. For example adding a host (under > 'cn=accounts,SUFFIX) adds it to a network group that is under > 'cn=alt,SUFFIX'. > A solution would be that the attribute that scopes the plugin is > multivalued. But then it would require a long list of values: > > cn=pbac,SUFFIX > cn=hbac,SUFFX > cn=alt,SUFFIX > cn=accounts, SUFFIX > ... > > > An other solution would be to exclude some parts of the DIT, here > limited to 'cn=provisionning,SUFFIX'. (prefered solution). > > > This is a similar issue with IPA UUID plugin that generates > ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or > 'cn=hbac'. > > regards > thierry
Right. As discussed yesterday, I think the best approach would be to specify a SUFFIX + excluded tree. Specifying all containers where there may be an entry with member or RI'ed attribute would be very long and possibly error prone when we add a new one (all active IPA server plugin configuration would need to be updated?). Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
