[Freeipa-devel] User life cycle: authentication and preserved attributes
thierry bordaz
tbordaz at redhat.com
Thu Jun 19 13:32:33 UTC 2014
Hello,
Thanks for all you feedbacks and help about which attributes to
preserved and how to limit authentication (simple and krb) to Active
accounts, here are my understandings:
1. Staging (container: cn=staged
users,cn=accounts,cn=provisioning,SUFFIX)
plugins scoping Staging:
* ipa_pwd_extop (kerberos keys generated)
In order to prevent simple bind, there is pre-bind plugin or cos
(nsAccoutLock: True).
* provisioning constraints - no constraint when creating an entry
but to be activated the entries in that container must have:
o 'uid' RDN
o have OC: posixaccount, ipaObject (MUST: cn, uid,
uidNumber, gidNumber, homedirectory, ipaUniqueID)
* ipa stageuser-add <login>
It creates a stage entry with
uidNumber: -1
gidNumber: -1
ipaUniqueID: autogenerate
description: __no_upg__
manager: checks that the DN is an active user
userPassword/krb keys: if userPassword is set, krb keys
are generated
* ipa stageuser-add <login> --from-delete
It possibly updates (MOD-delete) the deleted entry to delete
the attributes:
o userPassword
o krb keys
Then it moves (modrdn) the deleted entry to staging
container where
uidNumber: <unchanged, so it is preserved from the
prevous active account>
gidNumber: <unchanged, so it is preserved from the
prevous active account>
ipaUniqueID: <unchanged, so it is preserved from the
prevous active account>
description: __no_upg__ (to show there is not managed group)
(Deleted entries have no userPassword nor krb keys)
* ipa stageuser-activate <login>
To be activated an entry must have:
o 'uid' RDN
o have OC: posixaccount, ipaObject (MUST: cn, uid,
uidNumber, gidNumber, homedirectory, ipaUniqueID)
It adds in the active container, a destination copy of a
stage entry where
uidNumber: <unchanged> (if it was '-1' DNA generates it)
gidNumber: <unchanged> (if it was '-1' DNA generates it)
ipaUniqueID: <unchanged> (if it was 'autogenerate' ipa
uuid generates it)
description: value __no_upg__ is removed
DN syntax attributes are cleared (but kept for schema
checking) except: manager, managedby and secretary
(those values must be active DN entries)
userPassword/krb keys: copied from source entry if they
exists
Then removes the source entry from the 'Staging' container.
* ipa stageuser-find <login>
* ipa stageuser-show <login>
* ipa stageuser-mod <login>
DN syntax attributes: checks that the DN is an active user
* ipa stageuser-del <login>
1. Active (container: cn=users,cn=accounts,SUFFIX)
plugins scoping Staging:
* ipa_pwd_extop (kerberos keys generated)
* attribute uniqueness (ipaUniqueID, uid, krbprincipalname,
krbcanonicalName)
* referential integrity
* memberof
* managed entries
* ipa uuid
In order to allow simple bind, there is pre-bind plugin or cos
(nsAccoutLock: False).
A new entry (user-add or stageuser-activate) is updated by DS
plugins (UUID, memberof, managed entries, and DNA plugins)
* ipa user-add <login>
* ipa user-mod <login>
DN syntax attributes: checks that the DN is an active user
* ipa user-show <login>
* ipa user-find <login>
* ipa user-delete <login>
The entry is moved (modrdn) to Delete container:
o all memberships attributes updated by plugins (managed
entries/memberof)
o group members updated by referential integrity
then updated (mod)
o all DN syntax attributes are wiped except: manager,
managedby, secretary
o description: add __no_upg__ value
o userPassword is deleted
o kerberos keys are deleted
* ipa user-undelete <login>
The entry is possibly updated (MOD-delete) to delete attributes
o userPassword (no simple bind on undeleted entry,
requires to create a password)
o kerberos keys (no kerberos bind on undeleted entry,
requires to recreate user password)
Then is moved (modrdn) to Active container
1. Delete (container is cn=deleted users,cn=accounts,SUFFIX)
plugins scoping Delete:
* ipa_pwd_extop (not required as Delete account should not
have userPassword nor krb keys)
* attribute uniqueness (ipaUniqueID, uid,
krbprincipalname, krbcanonicalName)
In order to prevent simple bind (in addition to userPassword
being cleared), there is pre-bind plugin or cos (nsAccoutLock:
True).
Thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140619/2416ed19/attachment.htm>
More information about the Freeipa-devel
mailing list