On 08/18/2014 05:10 PM, Petr Viktorin wrote:
On 08/18/2014 05:03 PM, thierry bordaz wrote:
On 08/18/2014 04:06 PM, Petr Viktorin wrote:
On 08/14/2014 07:18 PM, thierry bordaz wrote:
Hello,
Following Petr remarks from the previous review, I modified the
original fix to move it only in '.update' files.
Thanks
thierry
Looks better, thanks!
I've tested install and upgrades, everything works as expected.
:-) . Thanks for your tests.
Some whitespace issues:
Applying: User Life Cycle: create containers and scoping DS plugins
.git/rebase-apply/patch:44: new blank line at EOF.
+
.git/rebase-apply/patch:111: new blank line at EOF.
+
warning: 2 lines add whitespace errors.
A tiny nitpick:
+dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX
CN is case-insensitive, but the capital D does stand out.
Good ! This extra lines sounds a familiar issue to me ;). I fixed this
and I removed the extra lines and lowercase.
Basically it creates a new patch
freeipa-tbordaz-0001-3-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch.
How should I proceed here, send a new review on freeipa-devel and/or
attache this patch (1.3) to the bug ?
Simply reply to this mail with the revised patch attached.
As for attaching patches to the tickets, I've never done it and no one
ever complained, so it's not necessary. But attach it if you like :)
Good to know :). Thanks
Otherwise ACK. We want to push this together with your patch 0002,
right?
Well, patch 0002 does not require 0001 (and the opposite as well).
Although they are both related to ULC, I separated them to make reviews
and dev simpler.
So if you are ok, I can push 0001 without the immediate need to push
0002.
OK
From 464bdcee06a647fe60144e00206f740822c9fee8 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins
User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
Active: cn=users,cn=accounts,$SUFFIX
Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
Plugins scopes:
krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
cn=accounts,SUFFIX
cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
DNA:
cn=accounts,SUFFIX
Plugins exclude subtree:
IPA UUID, Referential Integrity, memberOf:
cn=provisioning,SUFFIX
Reviewed-By: Petr Viktorin <pvikt...@redhat.com>
https://fedorahosted.org/freeipa/ticket/3813
---
install/updates/10-uniqueness.update | 26 ++++++++++++++++++++++++++
install/updates/20-dna.update | 4 +++-
install/updates/20-syncrepl.update | 6 ++++++
install/updates/30-provisioning.update | 21 +++++++++++++++++++++
install/updates/Makefile.am | 1 +
5 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 install/updates/30-provisioning.update
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index a336d3480866f74b82b35280e6ed788f1abb992f..c9641c47fabdffdc278216b38abd606745781d41 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -48,3 +48,29 @@ default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+
+# uid uniqueness scopes Active/Delete containers
+dn: cn=attribute uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:nsslapd-pluginenabled:off
+add:nsslapd-pluginenabled:on
+
+# krbPrincipalName uniqueness scopes Active/Delete containers
+dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# krbCanonicalName uniqueness scopes Active/Delete containers
+dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# ipaUniqueID uniqueness scopes Active/Delete containers
+dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
index 04047dd12787e589953e4f938a03d868de3ae93e..719195e9214ac293a3729f389504f39b46cd1aa2 100644
--- a/install/updates/20-dna.update
+++ b/install/updates/20-dna.update
@@ -2,9 +2,11 @@
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
-# Change the magic value to -1
+# Change the magic value to -1 and restrict DNA to active accounts
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
only:dnaMagicRegen: -1
+remove:dnaScope: '$SUFFIX'
+add:dnaScope: 'cn=accounts,$SUFFIX'
dn: cn=ipa-winsync,cn=plugins,cn=config
remove:ipaWinSyncUserAttr: uidNumber 999
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index e1184bf48285fb216dfb0c82e5e97bb8cc35539c..7a26f7b6883142116aa8947a5e8eb05cfc718439 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -10,11 +10,17 @@ add:nsslapd-changelogmaxage: 2d
# indices for cn=changelog.
dn: cn=MemberOf Plugin,cn=plugins,cn=config
add:memberofentryscope: '$SUFFIX'
+add:memberofentryscopeexcludesubtree: 'cn=provisioning,$SUFFIX'
dn: cn=referential integrity postoperation,cn=plugins,cn=config
add:nsslapd-plugincontainerscope: '$SUFFIX'
add:nsslapd-pluginentryscope: '$SUFFIX'
+add:nsslapd-pluginExcludeEntryScope: 'cn=provisioning,$SUFFIX'
# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
+
+# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
+dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
+add:ipaUuidExcludeSubtree: 'cn=provisioning,$SUFFIX'
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
new file mode 100644
index 0000000000000000000000000000000000000000..ef6d01a4441764fa7cb8cbb5a46ed14c32458c75
--- /dev/null
+++ b/install/updates/30-provisioning.update
@@ -0,0 +1,21 @@
+# bootstrap the user life cycle DIT structure.
+
+dn: cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: provisioning
+
+dn: cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: accounts
+
+dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
+
+dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index f26eaeee0d02ec05202fa159525ba8adcdeb3928..1d912a7d29552000d082aca58d345924ab84e11c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -21,6 +21,7 @@ app_DATA = \
21-ca_renewal_container.update \
21-certstore_container.update \
25-referint.update \
+ 30-provisioning.update \
30-s4u2proxy.update \
40-delegation.update \
40-realm_domains.update \
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel