[Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands

thierry bordaz tbordaz at redhat.com
Tue Apr 28 08:28:39 UTC 2015 

On 04/28/2015 10:23 AM, David Kupka wrote:
> On 04/16/2015 01:00 PM, thierry bordaz wrote:
>> Hello,
>>
>>     Here is the next patch for User life cycle that introduces
>>     del/mod/find and show stageuser plugin commands.
>>
>>   * 0000-User Life Cycle (create containers and scoping  DS plugins):
>>     *pushed*
>>   * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch:
>>     *pushed*
>>   * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed*
>>   * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed*
>>   * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under
>>     review *(this one)**
>>   * 0004-User-life-cycle-new-stageuser-commands-activate.patch
>>   * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
>>   * 0006-User-life-cycle-user-del-supports-permanently-preser.patch
>>   * 0008-User-life-cycle-user-find-support-finding-delete-use.patch
>>   * 0009-User-life-cycle-support-of-user-undel.patch
>>   * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch
>>   * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
>>   * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch
>>   * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch
>>
>> Thanks
>> thierry
>>
>>
>>
>>
> Hi Thierry,
> thanks for the patch, the code looks good to me but there is probably 
> a bug in ACIs.
> After creating a stage user and setting password for him I can kinit 
> as the stage user. I'm unable to login to the IPA client and id 
> command for this stage user responds "no such user" but I can kinit 
> and invoke ipa commands.
>
> Steps:
> 0. build freeipa with your patch
> 1. # ipa-server-install
> 2. $ kinit admin
> 3. $ ipa stageuser-add suser0 --first Stage --last User --password
> 4. $ kdestroy
> 5. $ kinit suser0
> 6. $ ipa user-find
>
> Actual:
> Prints out list of ipa users.
>
> Expected:
> kinit fails with "suser0 at ... not found in Kerberos database"
>
Hi David,

Thank you so much for having looked at this patch :-)
You are right. The Staging users (as well as the Delete users) are not 
lockout in that patch.
The patch 
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will 
take care of this.

Do you prefer that I merged the two patches right now ?

thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150428/f77fd33b/attachment.htm>

More information about the Freeipa-devel mailing list