<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/16/2014 03:04 PM, Rob Crittenden
wrote:<br>
</div>
<blockquote cite="mid:539EEB47.3030901@redhat.com" type="cite">
<pre wrap="">thierry bordaz wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello,
When a stage user is activate (ipa stageuse-activate), UUID plugin
(DS) checks that the ipaUniqueID value of the new active user is
'autogenerate'.
This is useful to prevent a provisioning systems to create Active
user with invalid ipaUniqueID.
Now one of the workflow step is to move a Delete user into the Stage
container. In that case the Stage entry contains a ipaUniqueID and
can not activate.
A possibility is to 'reset' the ipaUniqueID value to 'autogenerate'
during that step but I wonder it it is valid to reset it.
Also, is it valid to reset it and keep others values like
uidNumber/gidNumber ?
</pre>
</blockquote>
<pre wrap="">
I guess to walk through the logic, the unique id is there so we can
uniquely address an entry without worrying about the value changing
(like uid, name, etc). So if it is a brand new entry from the
provisioning system, yeah, we want to always set it to autogenerate.
If a user is deleted I think we agreed that all links to that user would
be broken (memberships, hbac rules, etc) which means that it doesn't
matter if the unique id is changed I suppose.
IMHO uidnumber/gidnumber should always be maintained.
rob
</pre>
</blockquote>
<font face="Times New Roman, Times, serif">Hello Rob,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Thanks for
your precise feedback and sorry for my late answer.<br>
So if I try to consolidate my understandings, the workflow would
be:<br>
<br>
</font>
<ol>
<li><font face="Times New Roman, Times, serif">Staging
(container: cn=staged
users,cn=accounts,cn=provisioning,SUFFIX)<br>
</font></li>
<ul>
<li><font face="Times New Roman, Times, serif">ipa stageuser-add
<login><br>
It creates a stage entry with</font></li>
</ul>
</ol>
<blockquote>
<blockquote>
<blockquote><tt>uidNumber: -1</tt><br>
<tt>gidNumber: -1</tt><br>
<tt>ipaUniqueID: autogenerate</tt><br>
<tt>description: __no_upg__<br>
manager: checks that the DN is an active user<br>
nsAccountLock: True</tt><br>
</blockquote>
</blockquote>
</blockquote>
<ol>
<ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-add <login> --from-delete</font></li>
</ul>
</ol>
<blockquote>
<blockquote><font face="Times New Roman, Times, serif">It moves
a deleted entry to staging container where<br>
</font>
<blockquote><tt>uidNumber: <unchanged, so it is preserved
from the prevous active account></tt><br>
<tt>gidNumber: <unchanged</tt><tt><tt>, so it is
preserved from the prevous active account</tt>></tt><br>
<tt>ipaUniqueID: autogenerate (reset to autogenerate)</tt> <br>
<tt>description: __no_upg__ (to show there is no managed
group)<br>
nsAccountLock: True<br>
</tt></blockquote>
</blockquote>
</blockquote>
<ol>
<ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-activate <login><br>
It adds in the active container, a destination copy of a
stage entry where<br>
</font>
<blockquote><tt>uidNumber: <unchanged, so a provisioning
system can force a uidNumber></tt><br>
<tt>gidNumber: <unchanged</tt><tt><tt>, so a
provisioning system can force a gidNumber</tt>></tt><br>
<tt>ipaUniqueID: autogenerate (reset to autogenerate)</tt>
<br>
<tt>description: value __no_upg__ is removed<br>
nsAccountLock: False</tt><br>
<tt>DN syntax attributes are cleared (but kept for schema
checking) except: manager, managedby and secretary
(those values must be active DN entries)<br>
</tt></blockquote>
<font face="Times New Roman, Times, serif">Then remove the
source entry from the 'Staging' container</font>.<br>
</li>
<li><font face="Times New Roman, Times, serif">ipa stageuser-find
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-show <login></font></li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-mod <login><br>
</font>
<blockquote><font face="Times New Roman, Times, serif">nsAccountLock:
can not be modify<br>
DN syntax attributes: checks that the DN is an active
user<br>
</font></blockquote>
</li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-del <login><br>
</font></li>
</ul>
<li><font face="Times New Roman, Times, serif">Active </font><font
face="Times New Roman, Times, serif">(container:
cn=users,cn=accounts,SUFFIX)<br>
A new entry (user-add or stageuser-activate) is updated by
DS plugins (UUID, memberof, managed entries and DNA plugins)<br>
</font></li>
</ol>
<blockquote>
<ul>
<li><font face="Times New Roman, Times, serif">ipa user-add
<login></font><br>
<blockquote><tt>nsAccountLock:</tt><tt> False</tt><font
face="Times New Roman, Times, serif"><font face="Times
New Roman, Times, serif"><br>
</font></font></blockquote>
</li>
<li><font face="Times New Roman, Times, serif">ipa user-find
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa user-show
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa user-mod
<login><br>
</font>
<blockquote><tt>nsAccountLock: can not be modify<br>
DN syntax attributes: checks that DN is an active user</tt><br>
</blockquote>
</li>
<li><font face="Times New Roman, Times, serif">ipa user-delete
<login><br>
moves (modrdn) the entry under 'Delete' container but
first do the following upates<br>
</font>
<blockquote><tt>nsAccountLock: true<br>
all memberships attributes updated by plugins (managed
entries/memberof)<br>
description: __no_upg__<br>
DN syntax attributes are cleared (but kept for schema
checking) except: manager, managedby and secretary)</tt><br>
<br>
<br>
</blockquote>
</li>
<li><font face="Times New Roman, Times, serif">ipa
user-undelete <login><br>
<br>
moves (modrdn) the entry under 'Active' containers. DS
plugins will update the membership attributes. Before the
modrdn, the updates are done:<br>
<br>
</font>
<blockquote><tt><tt>nsAccountLock: False</tt><br>
description: value __no_upg__ is removed<br>
</tt><tt>DN syntax attributes are cleared (but kept for
schema checking) except: manager, managedby and
secretary (those values must be active DN entries)</tt><br>
</blockquote>
</li>
</ul>
</blockquote>
<ol>
<li><font face="Times New Roman, Times, serif">Delete (container
is </font><font face="Times New Roman, Times, serif">cn=deleted
users,cn=accounts,SUFFIX)<br>
This container has no specific plugin, only user and
stageuser are implemented. <br>
</font></li>
</ol>
<p><br>
</p>
<p><br>
</p>
<p>I would have an additional question. 'stageuser-add' is used
both to create a stage entry or to recover a Delete entry into
Staging container. <br>
In case of recover 'stageuser-add <login> --from-delete',
the options '--first' and '--last' are optional because the
entry already exists.<br>
But these options are mandatory to create a new stage entry.<br>
Currently I made them optional (in take_param), and in case of
creation of a stage entry, it displays an error message
requesting these options.</p>
<p>In short, if a flag is (--from-delete) I need options to be
optional else to be mandatory.<br>
Does anyone know if it exists examples how to handle such
situation ?<br>
</p>
<p><br>
<font face="Times New Roman, Times, serif">thanks<br>
thierry<br>
</font></p>
</blockquote>
</body>
</html>