<html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hello, <blockquote>Me again !!! </blockquote> <blockquote>Thanks to all your inputs, the discussion about User_life_cycle clarified a lot workflow/command verbs. Now I have a doubt about what would be an entry in staging (objectclass/attribute). Also I wonder if ipa CLI (ipa user-add --stage), would be the only support way to create stage entry. An active entry is looking like (with krb* attributes if the userpassword is defined): <blockquote><tt>dn: uid=tb17,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com displayName: tb15 tb15 cn: tb15 tb15 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh gecos: tb15 tb15 sn: tb15 homeDirectory: /home/tb17 uid: tb17 mail: <a class="moz-txt-link-abbreviated" href="mailto:tb17@idm.lab.bos.redhat.com">tb17@idm.lab.bos.redhat.com</a> krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:tb17@IDM.LAB.BOS.REDHAT.COM">tb17@IDM.LAB.BOS.REDHAT.COM</a> givenName: tb15 initials: tt ipaUniqueID: 3f1b5cce-e1b8-11e3-86fe-001a4a104ecd uidNumber: 646400009 gidNumber: 646400009 mepManagedEntry: cn=tb17,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat, dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc= com </tt><tt>nsAccountLock: False</tt> <tt> </tt> </blockquote> <pre> </pre> A staged entry created by 'ipa user-add --stage' may look like the following. This kind of entry is easy to activate 'ipa user-unstage' <blockquote><tt>dn: uid=tb20,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,</tt> <tt> dc=redhat,dc=com</tt> <tt>displayName: tb20 tb20</tt> <tt>cn: tb20 tb20</tt> <tt>objectClass: top</tt> <tt>objectClass: person</tt> <tt>objectClass: organizationalperson</tt> <tt>objectClass: inetorgperson</tt> <tt>objectClass: inetuser</tt> <tt>objectClass: posixaccount</tt> <tt>objectClass: krbprincipalaux</tt> <tt>objectClass: krbticketpolicyaux</tt> <tt>objectClass: ipaobject</tt> <tt>objectClass: ipasshuser</tt> <tt>objectClass: ipaSshGroupOfPubKeys</tt> <tt>loginShell: /bin/sh</tt> <tt>uidNumber: -1</tt> <tt>ipaUniqueID: autogenerate</tt> <tt>gidNumber: -1</tt> <tt>gecos: tb20 tb20</tt> <tt>sn: tb20</tt> <tt>homeDirectory: /home/tb20</tt> <tt>uid: tb20</tt> <tt>mail: <a class="moz-txt-link-abbreviated" href="mailto:tb20@idm.lab.bos.redhat.com">tb20@idm.lab.bos.redhat.com</a></tt> <tt>krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:tb20@IDM.LAB.BOS.REDHAT.COM">tb20@IDM.LAB.BOS.REDHAT.COM</a></tt> <tt>givenName: tb20</tt> <tt>initials: tt</tt> <tt>nsAccountLock: </tt><tt>True</tt> </blockquote> Now are we going to support the following entries for 'ipa user-unstage' <blockquote><tt>dn: cn=tb20,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,</tt> <tt> dc=redhat,dc=com</tt> <tt>objectClass: top</tt> <tt>objectClass: person</tt> <tt>sn: tb20</tt> <tt>cn: tb20</tt> <tt>nsAccountLock: </tt><tt>True</tt> </blockquote> or <blockquote><tt>dn: uid=tb20,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,</tt><tt> </tt><tt> </tt><tt> dc=redhat,dc=com</tt><tt> </tt> <tt> objectClass: top</tt><tt> </tt> <tt> objectClass: person</tt><tt> </tt><tt>objectClass: posixAccount</tt><tt> </tt> <tt> sn: tb20</tt><tt> </tt> <tt> cn: tb20 tb20</tt><tt> uid: tb20 uidNumber: -1 gidNumber: -1 homeDirectory: /home/tb20 </tt> <tt>nsAccountLock: </tt><tt>True </tt></blockquote> <big><tt>thanks thierry</tt></big> </blockquote> </body> </html>