On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: > On 08/28/2014 08:30 PM, Sumit Bose wrote: > >On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: > >>On 08/28/2014 06:51 PM, Sumit Bose wrote: > >>>On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: > >>>>Hello, > >>>> > >>>> Following Petr remarks from the previous review, I modified the > >>>> original fix to move it only in '.update' files. > >>>> > >>>> Thanks > >>>> thierry > >>>> > >>>> From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 > >>>>From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com> > >>>>Date: Thu, 7 Aug 2014 16:29:02 +0200 > >>>>Subject: [PATCH] User Life Cycle: create containers and scoping DS > >>>>plugins > >>>> > >>>>User Life Cycle is designed > >>>>http://www.freeipa.org/page/V4/User_Life-Cycle_Management > >>>>It manages 3 containers (Staging, Active, Delete). At install/upgrade > >>>>Delete and Staging > >>>>containers needs to be created. > >>>> Active: cn=users,cn=accounts,$SUFFIX > >>>> Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX > >>>> Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX > >>>> > >>>>Plugins scopes: > >>>> krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: > >>>> cn=accounts,SUFFIX > >>>> cn=deleted users,cn=accounts,cn=provisioning,SUFFIX > >>>> DNA: > >>>> cn=accounts,SUFFIX > >>>Hi Thierry, > >>> > >>>sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA > >>>plugin. We need to generate a UID for the trusted domain objects as > >>>well which are stored in cn=trusts,SUFFIX. The reason is that AD > >>>expects to be able to connect with a special trusted domain account. We > >>>generate this account on the fly based on the data in the trusted domain > >>>object hence we need a UID here. > >>> > >>>Since it looks like dnaScope is a SINGLE-VALUE attribute I think > >>>dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a > >>>different solution? > >>> > >>>bye, > >>>Sumit > >>Hello Sumit, > >> > >> Thank you so much for having reviewed this fix and your important > >> feedback ! > >> > >> Yes I had the same fear to restrict DNA to 'accounts'. I opened > >> https://fedorahosted.org/389/ticket/47828 > >> to allow to exclude a part of the DIT (here > >> 'cn=provisioning,SUFFIX') from the scope of DNA plugin. > >> Do you think it can address this concern ? > >Yes, in general this would fix the issue. I'm just wondering if it > >wouldn't be easier with respect to coding and management to make > >dnaScope a multi-value attribute? > > > >Additionally a fix for IPA master is needed to make trusts work again. > >Would it be possible to tweak the filter to skip objects in > >cn=provisioning? E.g. do those objects have the ipaObject objectclass? > Yes, stage entries have 'objectclass=ipaObject'. > Do you suggest to remove this oc from staged entries, so that the filter > will not match it ?. I have to check the impact of stage user not being > ipaObject.
no, it was just a suggestion. Maybe we can use entryDN like: (&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*))) bye, Sumit > > thanks > thierry > > > >bye, > >Sumit > > > >> thanks > >> thierry > >> > >>>> Plugins exclude subtree: > >>>> IPA UUID, Referential Integrity, memberOf: > >>>> cn=provisioning,SUFFIX > >>>> > >>>>Reviewed-By: Petr Viktorin <pvikt...@redhat.com> > >>>> > >>>>https://fedorahosted.org/freeipa/ticket/3813 > >>>>--- > _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel