[Freeipa-devel] User life Cycle: referential integrity
Simo Sorce
simo at redhat.com
Wed Jun 4 16:02:44 UTC 2014
On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote:
> Hello,
>
> I am looking at the appropriate way to configure DS
> referential integrity and I am hitting some issues about its
> scoping and which attributes need to be preserved.
>
>
> User A and B are both Active. User A refers user B for
> example 'owner: <DN user B in Active container>'.
> If entry A is deleted (user-del), it keeps 'owner: <DN user B
> in Active container>'. Do we really want to preserve such
> attributes (owner, member, seeAlso...) in case the user is
> coming back (user-undel) ?
No, when a user is deleted all references to it in the rest of the tree
should be removed. the entries "it" references can stay I guess, the
user is deleted so no harm should come from it having dangling DNs in
its attributes.
> If it makes sense we may achieve this if we extends RI to both
> 'Active' and 'Delete' container.
Nope, makes no sense.
> If we prefer to remove such attributes, then 'user-del' is a
> MODRDN followed by some MODs or a ADD-DEL where the Delete
> entry is rebuilt from the 'Active' entry.
Delete must be a modrdn, we cannot delete the entry and re-add it.
> This is a similar problem when using 'stageuser-add <id>
> --from-delete', the references may become invalid (unless RI
> also covers Staging).
There should be no references in either staged or delete users, or they
should be adjusted when the user is unstaged/undeleted.
> An option would be to accept to have invalid references in
> 'staging' and 'delete', but when the entry is
> stageuser-activate/user-undel the reference are checked and
> removed if invalid. Here invalid means, the referred entry
> does not exist or is not 'Active'.
Yup, this sounds right, when you "activate" the user references need to
be checked and adjusted accordingly.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list