[Freeipa-devel] Stageuser API

[Florence Blanc-Renaud]

On 01/16/2017 03:52 PM, David Kupka wrote:
> Hello everyone!
>
> I've noticed that our API for stageuser is missing some commands that
> user has (stageuser-{add,remove}-{principal,cert}). I was wondering if
> there is reason for it but after asking some fellows developers it seems
> that there's none.
>
> I understand the stageuser area as a place where user entry can be
> created and amended during the hiring process in organization, example:
>
> 1. HR creates the entry with just basic informations (givenname,
> surname, manager)
> 2. IT assigns basic account information (uid, gid)
> 3. based on to-be-employee manager's request IT adds additional group
> membership (memberOf)
> 4. based on to-be-employee request IT adds login alias (krbPrincipalName)
> 5. Security Officer adds certificate from Smart Card assigned to the
> to-be-employee
> 6. HR adds extra information to the account (address, marital status, ...)
> 7. Facilities update work place related information (seat number, phone
> number, ...)
> 8. At the first day IT activates the user account.
>
> Considering this work flow I think it might be useful to have the same
> API for stageuser as for the user.
>
> Does the example work flow make sense?
> Should we provide the same set of commands for user and stageuser?
>
> Thanks for your ideas and opinions!
Hi David,

I would be in favor of providing the same API for stageuser and user.

It is already possible to add a certificate or a principal alias to a 
stageuser with ipa stageuser-mod --cert or ipa stageuser-mod 
--principal, meaning that those operations are not forbidden.

I also checked that a stageuser
- is not able to perform kinit with any of his principal aliases
- is not able to authenticate to the LDAP server with a DN/pwd
- is not able to authenticate to the LDAP server using his SSL cert
- is not able to login with user/pwd on a client console
so I do not see any security concern with your proposal.

Flo.