Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

Mon, 18 Aug 2014 08:18:13 -0700 

On 08/18/2014 05:10 PM, Petr Viktorin wrote:

On 08/18/2014 05:03 PM, thierry bordaz wrote:

On 08/18/2014 04:06 PM, Petr Viktorin wrote:

On 08/14/2014 07:18 PM, thierry bordaz wrote:

Hello,

    Following Petr remarks from the previous review, I modified the
    original fix to move it only in '.update' files.

    Thanks
    thierry



Looks better, thanks!
I've tested install and upgrades, everything works as expected.

:-) . Thanks for your tests.



Some whitespace issues:

Applying: User Life Cycle: create containers and scoping DS plugins
.git/rebase-apply/patch:44: new blank line at EOF.
+
.git/rebase-apply/patch:111: new blank line at EOF.
+
warning: 2 lines add whitespace errors.


A tiny nitpick:
+dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX

CN is case-insensitive, but the capital D does stand out.


Good ! This extra lines sounds a familiar issue to me ;). I fixed this
and I removed the extra lines and lowercase.
Basically it creates a new patch
freeipa-tbordaz-0001-3-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch. 

How should I proceed here, send a new review on freeipa-devel and/or
attache this patch (1.3) to the bug ?


Simply reply to this mail with the revised patch attached.
As for attaching patches to the tickets, I've never done it and no one ever complained, so it's not necessary. But attach it if you like :) 

Good to know :). Thanks
Otherwise ACK. We want to push this together with your patch 0002, right? 
Well, patch 0002 does not require 0001 (and the opposite as well).
Although they are both related to ULC, I separated them to make reviews
and dev simpler.
So if you are ok, I can push 0001 without the immediate need to push 0002. 

OK





From 464bdcee06a647fe60144e00206f740822c9fee8 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins

User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
		Active: cn=users,cn=accounts,$SUFFIX
		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
			cn=accounts,SUFFIX
			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
		DNA:
			cn=accounts,SUFFIX

		Plugins exclude subtree:
		IPA UUID, Referential Integrity, memberOf:
			cn=provisioning,SUFFIX

Reviewed-By: Petr Viktorin <pvikt...@redhat.com>

https://fedorahosted.org/freeipa/ticket/3813
---
 install/updates/10-uniqueness.update   | 26 ++++++++++++++++++++++++++
 install/updates/20-dna.update          |  4 +++-
 install/updates/20-syncrepl.update     |  6 ++++++
 install/updates/30-provisioning.update | 21 +++++++++++++++++++++
 install/updates/Makefile.am            |  1 +
 5 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/30-provisioning.update

diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index a336d3480866f74b82b35280e6ed788f1abb992f..c9641c47fabdffdc278216b38abd606745781d41 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -48,3 +48,29 @@ default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
 default:nsslapd-pluginVendor: Fedora Project
+
+# uid uniqueness scopes Active/Delete containers
+dn: cn=attribute uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:nsslapd-pluginenabled:off
+add:nsslapd-pluginenabled:on
+
+# krbPrincipalName uniqueness scopes Active/Delete containers
+dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# krbCanonicalName uniqueness scopes Active/Delete containers
+dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+
+# ipaUniqueID uniqueness scopes Active/Delete containers
+dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
index 04047dd12787e589953e4f938a03d868de3ae93e..719195e9214ac293a3729f389504f39b46cd1aa2 100644
--- a/install/updates/20-dna.update
+++ b/install/updates/20-dna.update
@@ -2,9 +2,11 @@
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
 
-# Change the magic value to -1
+# Change the magic value to -1 and restrict DNA to active accounts
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:dnaMagicRegen: -1
+remove:dnaScope: '$SUFFIX'
+add:dnaScope: 'cn=accounts,$SUFFIX'
 
 dn: cn=ipa-winsync,cn=plugins,cn=config
 remove:ipaWinSyncUserAttr: uidNumber 999
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index e1184bf48285fb216dfb0c82e5e97bb8cc35539c..7a26f7b6883142116aa8947a5e8eb05cfc718439 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -10,11 +10,17 @@ add:nsslapd-changelogmaxage: 2d
 # indices for cn=changelog.
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 add:memberofentryscope: '$SUFFIX'
+add:memberofentryscopeexcludesubtree: 'cn=provisioning,$SUFFIX'
 
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
 add:nsslapd-plugincontainerscope: '$SUFFIX'
 add:nsslapd-pluginentryscope: '$SUFFIX'
+add:nsslapd-pluginExcludeEntryScope: 'cn=provisioning,$SUFFIX'
 
 # Enable SyncRepl
 dn: cn=Content Synchronization,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
+
+# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
+dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
+add:ipaUuidExcludeSubtree: 'cn=provisioning,$SUFFIX'
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
new file mode 100644
index 0000000000000000000000000000000000000000..ef6d01a4441764fa7cb8cbb5a46ed14c32458c75
--- /dev/null
+++ b/install/updates/30-provisioning.update
@@ -0,0 +1,21 @@
+# bootstrap the user life cycle DIT structure.
+
+dn: cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: provisioning
+
+dn: cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: accounts
+
+dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
+
+dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add: objectclass: top
+add: objectclass: nsContainer
+add: cn: staged users
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index f26eaeee0d02ec05202fa159525ba8adcdeb3928..1d912a7d29552000d082aca58d345924ab84e11c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -21,6 +21,7 @@ app_DATA =				\
 	21-ca_renewal_container.update	\
 	21-certstore_container.update	\
 	25-referint.update		\
+	30-provisioning.update		\
 	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-realm_domains.update		\
-- 
1.7.11.7


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to