<html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hello, <blockquote>In order to provision staged users (account inactivated) with there initial values: <blockquote><tt>/</tt><tt>usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20</tt><tt> </tt><tt>-----------------</tt><tt> </tt><tt>Added user "tb20"</tt><tt> </tt><tt>-----------------</tt><tt> </tt><tt> User login: tb20</tt><tt> </tt><tt> First name: tb20</tt><tt> </tt><tt> Last name: tb20</tt><tt> </tt><tt> Full name: tb20 tb20</tt><tt> </tt><tt> Display name: tb20 tb20</tt><tt> </tt><tt> Initials: tt</tt><tt> </tt><tt> Home directory: /home/tb20</tt><tt> </tt><tt> GECOS: tb20 tb20</tt><tt> </tt><tt> Login shell: /bin/sh</tt><tt> </tt><tt> Kerberos principal: <a class="moz-txt-link-abbreviated" href="mailto:tb20@IDM.LAB.BOS.REDHAT.COM">tb20@IDM.LAB.BOS.REDHAT.COM</a></tt><tt> </tt><tt> Email address: <a class="moz-txt-link-abbreviated" href="mailto:tb20@idm.lab.bos.redhat.com">tb20@idm.lab.bos.redhat.com</a></tt><tt> </tt><tt> UID: -1</tt><tt> </tt><tt> GID: -1</tt><tt> </tt><tt> Account disabled: true</tt><tt> </tt><tt> Password: False</tt><tt> </tt><tt> Kerberos keys available: False ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20 dn: uid=tb20,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos, dc=redhat,dc=com displayName: tb20 tb20 cn: tb20 tb20 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys loginShell: /bin/sh uidNumber: -1 ipaUniqueID: autogenerate gidNumber: -1 gecos: tb20 tb20 sn: tb20 homeDirectory: /home/tb20 uid: tb20 mail: <a class="moz-txt-link-abbreviated" href="mailto:tb20@idm.lab.bos.redhat.com">tb20@idm.lab.bos.redhat.com</a> krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:tb20@IDM.LAB.BOS.REDHAT.COM">tb20@IDM.LAB.BOS.REDHAT.COM</a> givenName: tb20 initials: tt </tt> </blockquote> I needed to resctrict the scope of the following plugins: <blockquote><tt>dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config</tt><tt> </tt><tt>nsslapd-pluginarg1: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt> </tt><tt> </tt><tt>dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi</tt><tt> </tt><tt>ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt> </tt><tt> </tt><tt>dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config</tt><tt> </tt><tt>dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt> </tt><tt> </tt><tt>dn: cn=MemberOf Plugin,cn=plugins,cn=config</tt><tt> </tt><tt>memberofentryscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt> </blockquote> In fact I need them to not modify the added entry when it is added under "<tt>cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".</tt> Now is it possible to limit those plugins scope to the 'cn=accounts' part of the tree ? I guess not. If it is not possible, a solution is to make the scope multi-valued attributes or to introduce a new config attribute '*notInScope' also multi-valued. A problem is the 'cn=ipaUniqueID uniqueness' that rely on the 'attribute uniqueness' plugin with a argv[ ], not really convenient to pass 2 multivalued attributes. If anyone is having others solutions it would help me a lot :-) thanks thierry <blockquote> </blockquote> </blockquote> </body> </html>