[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

thierry bordaz tbordaz at redhat.com
Tue Jun 17 18:32:10 UTC 2014 

On 06/17/2014 07:35 PM, Rob Crittenden wrote:
> thierry bordaz wrote:
>> On 06/16/2014 03:04 PM, Rob Crittenden wrote:
>>> thierry bordaz wrote:
>>>> Hello,
>>>>
>>>>      When a stage user is activate (ipa stageuse-activate), UUID plugin
>>>>      (DS) checks that the ipaUniqueID value of the  new active user is
>>>>      'autogenerate'.
>>>>      This is useful to prevent a provisioning systems to create Active
>>>>      user with invalid ipaUniqueID.
>>>>      Now one of the workflow step is to move a Delete user into the Stage
>>>>      container. In that case the Stage entry contains a ipaUniqueID and
>>>>      can not activate.
>>>>
>>>>      A possibility is to 'reset'  the ipaUniqueID value to 'autogenerate'
>>>>      during that step but I wonder it it is valid to reset it.
>>>>      Also, is it valid to reset it and keep others values like
>>>>      uidNumber/gidNumber ?
>>> I guess to walk through the logic, the unique id is there so we can
>>> uniquely address an entry without worrying about the value changing
>>> (like uid, name, etc). So if it is a brand new entry from the
>>> provisioning system, yeah, we want to always set it to autogenerate.
>>>
>>> If a user is deleted I think we agreed that all links to that user would
>>> be broken (memberships, hbac rules, etc) which means that it doesn't
>>> matter if the unique id is changed I suppose.
>>>
>>> IMHO uidnumber/gidnumber should always be maintained.
>>>
>>> rob
>> Hello Rob,
>>
>>      Thanks for your precise feedback and sorry for my late answer.
>>      So if I try to consolidate my understandings, the workflow would be:
>>
>>       1. Staging (container: cn=staged
>>          users,cn=accounts,cn=provisioning,SUFFIX)
>>            * ipa stageuser-add <login>
>>              It creates a stage entry with
>>
>>                  uidNumber: -1
>>                  gidNumber: -1
>>                  ipaUniqueID: autogenerate
>>                  description: __no_upg__
>>                  manager: checks that the DN is an active user
>>                  nsAccountLock: True
>>
>>            * ipa stageuser-add <login> --from-delete
>>
>>              It moves a deleted entry to staging container where
>>
>>                  uidNumber: <unchanged, so it is preserved from the
>>                  prevous active account>
>>                  gidNumber: <unchanged, so it is preserved from the
>>                  prevous active account>
>>                  ipaUniqueID: autogenerate (reset to autogenerate)
>>                  description: __no_upg__ (to show there is no managed group)
>>                  nsAccountLock: True
>>
>>            * ipa stageuser-activate <login>
>>              It adds in the active container, a destination copy of a
>>              stage entry where
>>
>>                  uidNumber: <unchanged, so a provisioning system can
>>                  force a uidNumber>
>>                  gidNumber: <unchanged, so a provisioning system can
>>                  force a gidNumber>
>>                  ipaUniqueID: autogenerate (reset to autogenerate)
>>                  description: value __no_upg__ is removed
>>                  nsAccountLock: False
>>                  DN syntax attributes are cleared (but kept for schema
>>                  checking) except: manager, managedby and secretary
>>                  (those values must be active DN entries)
>>
>>              Then remove the source entry from the 'Staging' container.
>>            * ipa stageuser-find <login>
>>            * ipa stageuser-show <login>
>>            * ipa stageuser-mod <login>
>>
>>                  nsAccountLock: can not be modify
>>                  DN syntax attributes: checks that the DN is an active user
> So your plugin is going to manage restriction access to nsAccountLock or
> is this going to be via an ACI?

Hi,
my first intention was to do this in the plugin.
It does not protect from a ldapmodify. ACI would be a better protection 
but it has overhead.

>
>>            * ipa stageuser-del <login>
>>       1. Active (container: cn=users,cn=accounts,SUFFIX)
>>          A new entry (user-add or stageuser-activate) is updated by DS
>>          plugins (UUID, memberof, managed entries and DNA plugins)
>>
>>            * ipa user-add <login>
>>
>>                  nsAccountLock:False
>>
>>            * ipa user-find <login>
>>            * ipa user-show <login>
>>            * ipa user-mod <login>
>>
>>                  nsAccountLock: can not be modify
>>                  DN syntax attributes: checks that DN is an active user
> Why can't nsAccountLock be modified, or was this a cut-n-paste error?
Well, I was thinking to have 'nsAccountLock: False' only in Active 
container. And the value is set at the transition when the entry becomes 
active (stageuser-activate and user-undelete)
>
>>            * ipa user-delete <login>
>>              moves (modrdn) the entry under 'Delete' container but first
>>              do the following upates
>>
>>                  nsAccountLock: true
>>                  all memberships attributes updated by plugins (managed
>>                  entries/memberof)
> Just to be clear, your plugin is going to remove all of these?
Here I mention membership managed by the scoping of managed entries 
plugin and memberof plugin.
So the 'user plugin' will not wipe the memberships attributes.
Now if it remains membership attributes  'user plugin' will remove them 
when all DN syntax attributes will be cleared (except 
manager/managedby/secretary).
>
>>                  description: __no_upg__
>>                  DN syntax attributes are cleared (but kept for schema
>>                  checking) except: manager, managedby and secretary)
>>
>>
>>            * ipa user-undelete <login>
>>
>>              moves (modrdn) the entry under 'Active' containers. DS
>>              plugins will update the membership attributes. Before the
>>              modrdn, the updates are done:
>>
>>                  nsAccountLock: False
>>                  description: value __no_upg__ is removed
>>                  DN syntax attributes are cleared (but kept for schema
>>                  checking) except: manager, managedby and secretary
>>                  (those values must be active DN entries)
>>
>>       1. Delete (container is cn=deleted users,cn=accounts,SUFFIX)
>>          This container has no specific plugin, only user and stageuser
>>          are implemented.
>>
>>
>>
>>      I would have an additional question. 'stageuser-add' is used both to
>>      create a stage entry or to recover a Delete entry into Staging
>>      container.
>>      In case of recover 'stageuser-add <login> --from-delete', the
>>      options '--first' and '--last' are  optional because the entry
>>      already exists.
>>      But these options are mandatory to create a new stage entry.
>>      Currently I made them optional (in take_param), and in case of
>>      creation of a stage entry, it displays an error message requesting
>>      these options.
>>      In short, if a flag is (--from-delete) I need options to be optional
>>      else to be mandatory.
>>      Does anyone know if it exists examples how to handle such situation ?
> There is a module-level set of options in takes_params and a
> command-specific set in takes_options. I think you'll need to add these
> into takes_options on a per-command basis. If there is a set of
> identical options used in several places you can define them at the top
> level and add them in. See _trust_type_option in trust.py for an example.

Great !! thanks a lot I will have a look

thanks
thierry
>
> rob
>

More information about the Freeipa-devel mailing list