[Freeipa-devel] User life-cycle: nsAccountLock
Martin Kosek
mkosek at redhat.com
Wed Jun 18 10:47:38 UTC 2014
On 06/17/2014 05:59 PM, thierry bordaz wrote:
> On 06/16/2014 03:04 PM, Rob Crittenden wrote:
...
> Thanks for your precise feedback and sorry for my late answer.
> So if I try to consolidate my understandings, the workflow would be:
>
> 1. Staging (container: cn=staged
> users,cn=accounts,cn=provisioning,SUFFIX)
> * ipa stageuser-add <login>
> It creates a stage entry with
>
> uidNumber: -1
> gidNumber: -1
> ipaUniqueID: autogenerate
> description: __no_upg__
> manager: checks that the DN is an active user
> nsAccountLock: True
I was thinking about the nsAccountLock part again. Should we really force
provisioning systems to set it to True for staged users? Should we even
manipulate it in stageduser plugin?
The original reason why I proposed it in
http://www.freeipa.org/page/V4/User_Life-Cycle_Management
is to prevent LDAP BINDs on such user or Kerberos authentication on such user.
Wouldn't it be better to simply just update KDC backend plugin and LDAP BIND
pre-bind callback to prevent authentication to users in cn=provisioning,SUFFIX?
This would allow us to be sure that nobody can bind/authenticate to these users
without having to manipulate nsAccountLock attribute.
The only downside is that this would not be effective in older FreeIPA
versions, but AFAIR, we specified that if User Life Cycle is enabled, all
server should have at least 4.1 - otherwise for example deleted users would be
put to the special container or old servers would not have the appropriate DS
plugins updates.
Martin
More information about the Freeipa-devel
mailing list