[Freeipa-devel] User life Cycle: referential integrity
thierry bordaz
tbordaz at redhat.com
Wed Jun 4 16:46:39 UTC 2014
On 06/04/2014 06:02 PM, Simo Sorce wrote:
> On Wed, 2014-06-04 at 17:46 +0200, thierry bordaz wrote:
>> Hello,
>>
>> I am looking at the appropriate way to configure DS
>> referential integrity and I am hitting some issues about its
>> scoping and which attributes need to be preserved.
>>
>>
>> User A and B are both Active. User A refers user B for
>> example 'owner: <DN user B in Active container>'.
>> If entry A is deleted (user-del), it keeps 'owner: <DN user B
>> in Active container>'. Do we really want to preserve such
>> attributes (owner, member, seeAlso...) in case the user is
>> coming back (user-undel) ?
> No, when a user is deleted all references to it in the rest of the tree
> should be removed. the entries "it" references can stay I guess, the
> user is deleted so no harm should come from it having dangling DNs in
> its attributes.
Actually it was my concern. If users A then B are moved Active->Delete
(user-del), then the reference to B in the 'Active' container is not
removed by RI. If for any reason user A returns to Active (user-undel),
it contains dangling DN unless it is checked/removed.
>> If it makes sense we may achieve this if we extends RI to both
>> 'Active' and 'Delete' container.
> Nope, makes no sense.
>
>> If we prefer to remove such attributes, then 'user-del' is a
>> MODRDN followed by some MODs or a ADD-DEL where the Delete
>> entry is rebuilt from the 'Active' entry.
> Delete must be a modrdn, we cannot delete the entry and re-add it.
ok great :)
>> This is a similar problem when using 'stageuser-add <id>
>> --from-delete', the references may become invalid (unless RI
>> also covers Staging).
> There should be no references in either staged or delete users, or they
> should be adjusted when the user is unstaged/undeleted.
>
>> An option would be to accept to have invalid references in
>> 'staging' and 'delete', but when the entry is
>> stageuser-activate/user-undel the reference are checked and
>> removed if invalid. Here invalid means, the referred entry
>> does not exist or is not 'Active'.
> Yup, this sounds right, when you "activate" the user references need to
> be checked and adjusted accordingly.
Which attributes need to be checked/adjusted ? those configured in RI ?
attributes with DN syntax ?
thierry
>
> Simo.
>
More information about the Freeipa-devel
mailing list