<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/22/2014 10:33 AM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:537E0AAA.5090100@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<font face="Times New Roman, Times, serif">Hello,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">In order to
provision staged users (account inactivated) with there
initial values:<br>
</font>
<blockquote><tt>/</tt><tt>usr/bin/ipa user-add tb20 --to-stage
--first=tb20 --last=tb20</tt><tt><br>
</tt><tt>-----------------</tt><tt><br>
</tt><tt>Added user "tb20"</tt><tt><br>
</tt><tt>-----------------</tt><tt><br>
</tt><tt> User login: tb20</tt><tt><br>
</tt><tt> First name: tb20</tt><tt><br>
</tt><tt> Last name: tb20</tt><tt><br>
</tt><tt> Full name: tb20 tb20</tt><tt><br>
</tt><tt> Display name: tb20 tb20</tt><tt><br>
</tt><tt> Initials: tt</tt><tt><br>
</tt><tt> Home directory: /home/tb20</tt><tt><br>
</tt><tt> GECOS: tb20 tb20</tt><tt><br>
</tt><tt> Login shell: /bin/sh</tt><tt><br>
</tt><tt> Kerberos principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb20@IDM.LAB.BOS.REDHAT.COM">tb20@IDM.LAB.BOS.REDHAT.COM</a></tt><tt><br>
</tt><tt> Email address: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb20@idm.lab.bos.redhat.com">tb20@idm.lab.bos.redhat.com</a></tt><tt><br>
</tt><tt> UID: -1</tt><tt><br>
</tt><tt> GID: -1</tt><tt><br>
</tt><tt> Account disabled: true</tt><tt><br>
</tt><tt> Password: False</tt><tt><br>
</tt><tt> Kerberos keys available: False<br>
<br>
ldapsearch -LLL -h localhost -p 389 -D "cn=directory
manager" -w Secret123 -b
"dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20<br>
dn: uid=tb20,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,<br>
dc=redhat,dc=com<br>
displayName: tb20 tb20<br>
cn: tb20 tb20<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalperson<br>
objectClass: inetorgperson<br>
objectClass: inetuser<br>
objectClass: posixaccount<br>
objectClass: krbprincipalaux<br>
objectClass: krbticketpolicyaux<br>
objectClass: ipaobject<br>
objectClass: ipasshuser<br>
objectClass: ipaSshGroupOfPubKeys<br>
loginShell: /bin/sh<br>
uidNumber: -1<br>
ipaUniqueID: autogenerate<br>
gidNumber: -1<br>
gecos: tb20 tb20<br>
sn: tb20<br>
homeDirectory: /home/tb20<br>
uid: tb20<br>
mail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb20@idm.lab.bos.redhat.com">tb20@idm.lab.bos.redhat.com</a><br>
krbPrincipalName: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tb20@IDM.LAB.BOS.REDHAT.COM">tb20@IDM.LAB.BOS.REDHAT.COM</a><br>
givenName: tb20<br>
initials: tt<br>
</tt><br>
</blockquote>
<font face="Times New Roman, Times, serif">I needed to resctrict
the scope of the following plugins:<br>
</font>
<blockquote><tt>dn: cn=ipaUniqueID
uniqueness,cn=plugins,cn=config</tt><tt><br>
</tt><tt>nsslapd-pluginarg1:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt><br>
</tt><tt><br>
</tt><tt>dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi</tt><tt><br>
</tt><tt>ipauuidscope:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt><br>
</tt><tt><br>
</tt><tt>dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config</tt><tt><br>
</tt><tt>dnaScope:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><tt><br>
</tt><tt><br>
</tt><tt>dn: cn=MemberOf Plugin,cn=plugins,cn=config</tt><tt><br>
</tt><tt>memberofentryscope:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com</tt><br>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">In fact I need them
to not modify the added entry when it is added under "</font><tt>cn=staged
users,cn=accounts,cn=provisioning,$SUFFIX".</tt><br>
<font face="Times New Roman, Times, serif">Now is it possible to
limit those plugins scope to the 'cn=accounts' part of the
tree ? I guess not.<br>
If it is not possible, a solution is to make the scope
multi-valued attributes or to introduce a new config attribute
'*notInScope' also multi-valued.<br>
A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
'attribute uniqueness' plugin with a argv[ ], not really
convenient to pass 2 multivalued attributes.<br>
<br>
If anyone is having others solutions it would help me a lot <span
class="moz-smiley-s1"><span> :-) </span></span><br>
<br>
thanks<br>
thierry<br>
<br>
<br>
</font></blockquote>
</blockquote>
<br>
The easiest solution IMO is to not treat staging area as an account
area, i.e instead of cn=staging, cn=accounts, dc=... I suggest
saving users in cn=users, cn=staging, dc=...<br>
This way if in future we will have some staging for other objects
(for whatever reason) we will create containers under common
"staging" area.<br>
I would also argue that "deleted" should not be under accounts.<br>
<br>
<br>
<blockquote cite="mid:537E0AAA.5090100@redhat.com" type="cite">
<blockquote><font face="Times New Roman, Times, serif"> </font><font
face="Times New Roman, Times, serif"><br>
</font>
<blockquote><br>
</blockquote>
<font face="Times New Roman, Times, serif"><br>
</font></blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>