[Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts

Wed Nov 13 12:33:47 UTC 2013

On 11/12/2013 01:27 PM, Ana Krivokapic wrote:
> On 10/30/2013 09:56 PM, Martin Kosek wrote:
>> ----- Original Message -----
>>> From: "Simo Sorce" <simo at redhat.com>
>>> To: "Ana Krivokapic" <akrivoka at redhat.com>
>>> Cc: "Martin Kosek" <mkosek at redhat.com>, "freeipa-devel" <freeipa-devel at redhat.com>
>>> Sent: Wednesday, October 30, 2013 7:11:20 PM
>>> Subject: Re: [Freeipa-devel] [PATCHES] 0080-0081 Add userClass attributes for users and hosts
>>>
>>> On Wed, 2013-10-30 at 19:01 +0100, Ana Krivokapic wrote:
>>>> On 10/29/2013 02:04 PM, Simo Sorce wrote:
>>>>> On Tue, 2013-10-29 at 12:42 +0100, Martin Kosek wrote:
>>>>>> On 10/29/2013 10:49 AM, Ana Krivokapic wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Patch 0080 adds userClass attribute for users to IPA CLI.
>>>>>>> Patch 0081 adds userClass attribute for users and hosts to the web UI.
>>>>>>>
>>>>>>> Design page:
>>>>>>> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
>>>>>>>
>>>>>>> Tickets:
>>>>>>> https://fedorahosted.org/freeipa/ticket/3588
>>>>>>> https://fedorahosted.org/freeipa/ticket/3590
>>>>>> NACK to just extending posixAccount objectclass. This is a standard
>>>>>> objectclass
>>>>>> defined by RFC 2307 and we cannot just simply extend and overwrite it as
>>>>>> we wish.
>>>>> Uhh indeed this is a big No-no.
>>>>>
>>>>>> We will need to come up with some custom objectclass, like ipaUser. This
>>>>>> is the
>>>>>> reason why I wrote to ticket "A second goal of this ticket is to review
>>>>>> current
>>>>>> objectClass hierarchy of users and do changes if needed." so that we can
>>>>>> pick
>>>>>> the best option where to place it.
>>>>> userClass is used in ipaHost, so I guess it could be instead add to an
>>>>> ipa objectclass. ipaObject might be used perhaps, otherwise we'll need a
>>>>> new ipaUser objectlass.
>>>>>
>>>>> Simo.
>>>>>
>>>> If there are no objections to using the ipaObject objectclass, the attached
>>>> patches implement this approach.
>>> After some thinking ipaObject is more generic than just users, not sure
>>> that attaching userClass there is appropriate. I think we really need
>>> ipaUser at this point.
>> +1. I also do not think that ipaObject is the right OC to place the attribute, it is just too general.
>>
>> Let's go with the ipaUser objectClass, looking something like that:
>>
>> ( <OID> NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
>>
>> We will need to add the OC when needed, we cannot just add it to default list. Ideally, we could also implement
>> https://fedorahosted.org/freeipa/ticket/3922
>> in scope of this effort as this need to add additional OCs is piling up.
>>
>> Martin
> This implementation introduces a new objectclass 'ipaUser'.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

The web UI patch needed an update as well, as we need to allow writing the
userClass attribute even when the ipaUser objectclass is not (yet) set on the
user object. Thanks Petr for pointing it out.

Attaching both patches again (the CLI patch has not changed since the last
iteration).

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/8f272747/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0081-03-WebUI-Add-userClass-attribute-to-user-and-host-pages.patch
Type: text/x-patch
Size: 2344 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/8f272747/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-akrivoka-0080-03-Add-userClass-attribute-for-users.patch
Type: text/x-patch
Size: 13437 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131113/8f272747/attachment-0001.bin>