[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server
thierry bordaz
tbordaz at redhat.com
Tue Jun 17 19:36:59 UTC 2014
On 06/17/2014 09:29 PM, Simo Sorce wrote:
> On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote:
>>>> * ipa stageuser-add <login> --from-delete
>>>>
>>>> It moves a deleted entry to staging container where
>>>>
>>>> uidNumber: <unchanged, so it is preserved from the
>>>> prevous active account>
>>>> gidNumber: <unchanged, so it is preserved from the
>>>> prevous active account>
>>>> ipaUniqueID: autogenerate (reset to autogenerate)
>>> Why are you resetting the unique id ?
>> Read back a few in the thread. I suggested, perhaps incorrectly, that
>> given that there should be no more references to the user once they go
>> into deleted or staged, it may be ok to reset this value.
> Well, let me reiterate, the deleted bucket is for those environments
> where they have a mandate (regulation, law, policy, etc..) to never
> delete users and reinstate users if they are deleted.
> So all uniquely identifying information should be preserved in case the
> object is revived. This means we need to do our best to preserve all
> these attributes if we can.
This is what is done when an Active user is deleted.
uidNumber/gidNumber/ipaUniqueID are preserved.
When activating a user, currently UUID plugin prevents to set a value.
Should it be relaxed.. I feel not. It is a sensitive info and
provisioning system should not define it.
When undelete a user (move Delete->Staging), ipaUniqueID can be
preserved but as the purpose of Staging entry is to become active I
thought it would be better to wipe the value also at this time.
thierry
>
> Simo.
>
More information about the Freeipa-devel
mailing list