Hello,

   Following Petr remarks from the previous review, I modified the
   original fix to move it only in '.update' files.

   Thanks
   thierry

From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins

User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
		Active: cn=users,cn=accounts,$SUFFIX
		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
			cn=accounts,SUFFIX
			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
		DNA:
			cn=accounts,SUFFIX

		Plugins exclude subtree:
		IPA UUID, Referential Integrity, memberOf:
			cn=provisioning,SUFFIX

Reviewed-By: Petr Viktorin <pvikt...@redhat.com>

https://fedorahosted.org/freeipa/ticket/3813
---
 install/updates/10-uniqueness.update   | 27 +++++++++++++++++++++++++++
 install/updates/20-dna.update          |  4 +++-
 install/updates/20-syncrepl.update     |  6 ++++++
 install/updates/30-provisioning.update | 22 ++++++++++++++++++++++
 install/updates/Makefile.am            |  1 +
 5 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/30-provisioning.update

diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index a336d3480866f74b82b35280e6ed788f1abb992f..fd715f8a15130efae89287d50d779d3867560f7e 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -48,3 +48,30 @@ default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
 default:nsslapd-pluginVendor: Fedora Project
+
+# uid uniqueness scopes Active/Delete containers
+dn: cn=attribute uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:nsslapd-pluginenabled:off
+add:nsslapd-pluginenabled:on
+
+# krbPrincipalName uniqueness scopes Active/Delete containers
+dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# krbCanonicalName uniqueness scopes Active/Delete containers
+dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# ipaUniqueID uniqueness scopes Active/Delete containers
+dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
index 04047dd12787e589953e4f938a03d868de3ae93e..719195e9214ac293a3729f389504f39b46cd1aa2 100644
--- a/install/updates/20-dna.update
+++ b/install/updates/20-dna.update
@@ -2,9 +2,11 @@
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
 
-# Change the magic value to -1
+# Change the magic value to -1 and restrict DNA to active accounts
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:dnaMagicRegen: -1
+remove:dnaScope: '$SUFFIX'
+add:dnaScope: 'cn=accounts,$SUFFIX'
 
 dn: cn=ipa-winsync,cn=plugins,cn=config
 remove:ipaWinSyncUserAttr: uidNumber 999
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index e1184bf48285fb216dfb0c82e5e97bb8cc35539c..7a26f7b6883142116aa8947a5e8eb05cfc718439 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -10,11 +10,17 @@ add:nsslapd-changelogmaxage: 2d
 # indices for cn=changelog.
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 add:memberofentryscope: '$SUFFIX'
+add:memberofentryscopeexcludesubtree: 'cn=provisioning,$SUFFIX'
 
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
 add:nsslapd-plugincontainerscope: '$SUFFIX'
 add:nsslapd-pluginentryscope: '$SUFFIX'
+add:nsslapd-pluginExcludeEntryScope: 'cn=provisioning,$SUFFIX'
 
 # Enable SyncRepl
 dn: cn=Content Synchronization,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
+
+# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
+dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
+add:ipaUuidExcludeSubtree: 'cn=provisioning,$SUFFIX'
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
new file mode 100644
index 0000000000000000000000000000000000000000..0992ed234841055ff418144ed9c2d31e638ea71a
--- /dev/null
+++ b/install/updates/30-provisioning.update
@@ -0,0 +1,22 @@
+# bootstrap the user life cycle DIT structure.
+
+dn: cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: provisioning
+
+dn: cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: accounts
+
+dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
+
+dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index f26eaeee0d02ec05202fa159525ba8adcdeb3928..1d912a7d29552000d082aca58d345924ab84e11c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -21,6 +21,7 @@ app_DATA =				\
 	21-ca_renewal_container.update	\
 	21-certstore_container.update	\
 	25-referint.update		\
+	30-provisioning.update		\
 	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-realm_domains.update		\
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to