Admins need the ability to specify the token ID in the case of imports. However, generally, this ability is not needed.
Is it possible to offload the ID generation to the ipa-uuid plugin? I'm not quite sure how to enable this (I think it involves passing a magic value?). But I'm not quite sure how this fits in with the IPA framework as the generated value is the DN. However, assuming this can be used, I propose the following. The token ID is removed from the UI for regular users (but retained for admins). We change the ACIs for token addition/modification to prevent regular users from specifying the ID in an add or mod operation. The CLI would retain the option to set it, but this option would only be usable by admins. Make sense? _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel