<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/28/2011 03:20 PM, Dmitri Pal wrote:
<blockquote cite="mid:4D91099F.8070400@redhat.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
On 03/28/2011 04:38 PM, Pavel Zůna wrote:
<blockquote cite="mid:4D90F1C7.1090909@redhat.com" type="cite">This
patch handles the issue in a kind of stupid way, but I couldn't
think of anything better. <br>
<br>
It adds a new flag parameter to user-add (--noprivate). With
this flag, the command marks the private group about to be
created for deletion and is deleted after the user is created.
The only exception is when there is a group, that is named the
same way as the user, but isn't a private group - then the group
is left there. <br>
<br>
Private groups are created automatically by the managed entry DS
plugin and I didn't find a way to disable its creation for a
specific user. <br>
</blockquote>
<br>
The idea that comes to mind is to define some magical attribute
that the DS plugin would recognize and skip the creation of the
managed entry as well as strip the entry of this magic
attribute/value.<br>
I remember that other plugins might take advantage of the similar
approach.<br>
<br>
Is something like this possible?<br>
</blockquote>
You are probably thinking of the DNA plug-in and it's use of a magic
value used to tell the plug-in to allocate a value from a range. I
would not like to use this approach here, as it requires additional
coding and complexity that I don't think is needed.<br>
<br>
I would prefer that we use the originFilter to deal with this. We
could have an auxiliary objectclass that IPA usually adds when
creating an IPA user. The originFilter can key off of this
objectclass to create managed groups. When a user is added with the
--noprivate option, this objectclass is not included in the user
entry that is added. Rob and I discussed this approach on IRC
earlier today.<br>
<blockquote cite="mid:4D91099F.8070400@redhat.com" type="cite"> <br>
<br>
<blockquote cite="mid:4D90F1C7.1090909@redhat.com" type="cite"> <br>
Ticket #1131 <br>
<br>
Pavel <br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</blockquote>
<br>
</body>
</html>