[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server
Rob Crittenden
rcritten at redhat.com
Mon Jun 16 13:04:07 UTC 2014
thierry bordaz wrote:
> Hello,
>
> When a stage user is activate (ipa stageuse-activate), UUID plugin
> (DS) checks that the ipaUniqueID value of the new active user is
> 'autogenerate'.
> This is useful to prevent a provisioning systems to create Active
> user with invalid ipaUniqueID.
> Now one of the workflow step is to move a Delete user into the Stage
> container. In that case the Stage entry contains a ipaUniqueID and
> can not activate.
>
> A possibility is to 'reset' the ipaUniqueID value to 'autogenerate'
> during that step but I wonder it it is valid to reset it.
> Also, is it valid to reset it and keep others values like
> uidNumber/gidNumber ?
I guess to walk through the logic, the unique id is there so we can
uniquely address an entry without worrying about the value changing
(like uid, name, etc). So if it is a brand new entry from the
provisioning system, yeah, we want to always set it to autogenerate.
If a user is deleted I think we agreed that all links to that user would
be broken (memberships, hbac rules, etc) which means that it doesn't
matter if the unique id is changed I suppose.
IMHO uidnumber/gidnumber should always be maintained.
rob
More information about the Freeipa-devel
mailing list