<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/28/2015 10:40 AM, David Kupka
wrote:<br>
</div>
<blockquote cite="mid:553F476E.8080502@redhat.com" type="cite">On
04/28/2015 10:28 AM, thierry bordaz wrote:
<br>
<blockquote type="cite">On 04/28/2015 10:23 AM, David Kupka wrote:
<br>
<blockquote type="cite">On 04/16/2015 01:00 PM, thierry bordaz
wrote:
<br>
<blockquote type="cite">Hello,
<br>
<br>
Here is the next patch for User life cycle that
introduces
<br>
del/mod/find and show stageuser plugin commands.
<br>
<br>
* 0000-User Life Cycle (create containers and scoping DS
plugins):
<br>
*pushed*
<br>
*
0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch:
<br>
*pushed*
<br>
* 0002-User-life-cycle-stageuser-add-verb.patch: *pushed*
<br>
* 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch:
*pushed*
<br>
*
0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under
<br>
review *(this one)**
<br>
*
0004-User-life-cycle-new-stageuser-commands-activate.patch
<br>
*
0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
<br>
*
0006-User-life-cycle-user-del-supports-permanently-preser.patch
<br>
*
0008-User-life-cycle-user-find-support-finding-delete-use.patch
<br>
* 0009-User-life-cycle-support-of-user-undel.patch
<br>
*
0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch
<br>
*
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
<br>
*
0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch
<br>
*
0013-User-life-cycle-Stage-Admin-permission-priviledge.patch
<br>
<br>
Thanks
<br>
thierry
<br>
<br>
<br>
<br>
<br>
</blockquote>
Hi Thierry,
<br>
thanks for the patch, the code looks good to me but there is
probably
<br>
a bug in ACIs.
<br>
After creating a stage user and setting password for him I can
kinit
<br>
as the stage user. I'm unable to login to the IPA client and
id
<br>
command for this stage user responds "no such user" but I can
kinit
<br>
and invoke ipa commands.
<br>
<br>
Steps:
<br>
0. build freeipa with your patch
<br>
1. # ipa-server-install
<br>
2. $ kinit admin
<br>
3. $ ipa stageuser-add suser0 --first Stage --last User
--password
<br>
4. $ kdestroy
<br>
5. $ kinit suser0
<br>
6. $ ipa user-find
<br>
<br>
Actual:
<br>
Prints out list of ipa users.
<br>
<br>
Expected:
<br>
kinit fails with <a class="moz-txt-link-rfc2396E" href="mailto:suser0@...notfoundinKerberosdatabase">"suser0@... not found in Kerberos database"</a>
<br>
<br>
</blockquote>
Hi David,
<br>
<br>
Thank you so much for having looked at this patch :-)
<br>
You are right. The Staging users (as well as the Delete users)
are not
<br>
lockout in that patch.
<br>
The patch
<br>
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
will
<br>
take care of this.
<br>
<br>
Do you prefer that I merged the two patches right now ?
<br>
<br>
thanks
<br>
thierry
<br>
<br>
</blockquote>
<br>
Hi Thierry,
<br>
no, it is not necessary to merge the patches it's ok to have it
separated. I'm not sure if the patch should be pushed now or
rather wait and push it together with the others.
<br>
I'm looking forward to next ULC patches from you.
<br>
<br>
</blockquote>
<br>
<br>
<font face="Times New Roman, Times, serif">Hi David,<br>
<br>
Here are all the available patches. <br>
I also attach a test script that is a kind of regression tests
that I am using.<br>
<br>
Thanks again<br>
thierry<br>
</font>
</body>
</html>