On 08/28/2014 08:58 PM, Sumit Bose wrote:
On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote:
On 08/28/2014 08:30 PM, Sumit Bose wrote:
On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
On 08/28/2014 06:51 PM, Sumit Bose wrote:
On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
Following Petr remarks from the previous review, I modified the
original fix to move it only in '.update' files.
From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins
User Life Cycle is designed
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete
containers needs to be created.
Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
plugin. We need to generate a UID for the trusted domain objects as
well which are stored in cn=trusts,SUFFIX. The reason is that AD
expects to be able to connect with a special trusted domain account. We
generate this account on the fly based on the data in the trusted domain
object hence we need a UID here.
Since it looks like dnaScope is a SINGLE-VALUE attribute I think
dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
Thank you so much for having reviewed this fix and your important
Yes I had the same fear to restrict DNA to 'accounts'. I opened
to allow to exclude a part of the DIT (here
'cn=provisioning,SUFFIX') from the scope of DNA plugin.
Do you think it can address this concern ?
Yes, in general this would fix the issue. I'm just wondering if it
wouldn't be easier with respect to coding and management to make
dnaScope a multi-value attribute?
Additionally a fix for IPA master is needed to make trusts work again.
Would it be possible to tweak the filter to skip objects in
cn=provisioning? E.g. do those objects have the ipaObject objectclass?
Yes, stage entries have 'objectclass=ipaObject'.
Do you suggest to remove this oc from staged entries, so that the filter
will not match it ?. I have to check the impact of stage user not being
no, it was just a suggestion. Maybe we can use entryDN like:
Ho great I like this idea !
Unfortunately it does not work as expected.
In fact 'entrydn' is not present in the added entry when the DNA
preop-plugin is called (it is added later).
As stage entries may get added with an external provisioning system,
I can not rely on any fixed attribute value to skip them from DNA.
Also setting this filter and adding a stage user had a curious
impact as it sets uidNumber/gidNumber to -2.
I believe this is because the filter is true in the preadd (entrydn
does not exist) so dna preop set the uid/gidNumber to -2 and
when the bepreop is called (entrydn has been added) filter is false
and the transient value -2 is not set to -1 :-)
So I rely on checking the entry DN vs the scope to prevent DNA to
allocated number and I will work on ticket 47828.
Plugins exclude subtree:
IPA UUID, Referential Integrity, memberOf:
Reviewed-By: Petr Viktorin <pvikt...@redhat.com>
Freeipa-devel mailing list