<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/05/2015 08:57 AM, Jan Cholasta
wrote:<br>
</div>
<blockquote cite="mid:554869C3.2040509@redhat.com" type="cite">Hi,
<br>
<br>
Dne 28.4.2015 v 16:40 thierry bordaz napsal(a):
<br>
<blockquote type="cite">On 04/28/2015 10:40 AM, David Kupka wrote:
<br>
<blockquote type="cite">On 04/28/2015 10:28 AM, thierry bordaz
wrote:
<br>
<blockquote type="cite">On 04/28/2015 10:23 AM, David Kupka
wrote:
<br>
<blockquote type="cite">On 04/16/2015 01:00 PM, thierry
bordaz wrote:
<br>
<blockquote type="cite">Hello,
<br>
<br>
Here is the next patch for User life cycle that
introduces
<br>
del/mod/find and show stageuser plugin commands.
<br>
<br>
* 0000-User Life Cycle (create containers and scoping
DS plugins):
<br>
*pushed*
<br>
*
0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch:
<br>
*pushed*
<br>
* 0002-User-life-cycle-stageuser-add-verb.patch:
*pushed*
<br>
* 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch:
*pushed*
<br>
*
0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under
<br>
review *(this one)**
<br>
*
0004-User-life-cycle-new-stageuser-commands-activate.patch
<br>
*
0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
<br>
*
0006-User-life-cycle-user-del-supports-permanently-preser.patch
<br>
*
0008-User-life-cycle-user-find-support-finding-delete-use.patch
<br>
* 0009-User-life-cycle-support-of-user-undel.patch
<br>
*
0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch
<br>
*
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
<br>
*
0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch
<br>
*
0013-User-life-cycle-Stage-Admin-permission-priviledge.patch
<br>
<br>
Thanks
<br>
thierry
<br>
<br>
<br>
<br>
<br>
</blockquote>
Hi Thierry,
<br>
thanks for the patch, the code looks good to me but there
is probably
<br>
a bug in ACIs.
<br>
After creating a stage user and setting password for him I
can kinit
<br>
as the stage user. I'm unable to login to the IPA client
and id
<br>
command for this stage user responds "no such user" but I
can kinit
<br>
and invoke ipa commands.
<br>
<br>
Steps:
<br>
0. build freeipa with your patch
<br>
1. # ipa-server-install
<br>
2. $ kinit admin
<br>
3. $ ipa stageuser-add suser0 --first Stage --last User
--password
<br>
4. $ kdestroy
<br>
5. $ kinit suser0
<br>
6. $ ipa user-find
<br>
<br>
Actual:
<br>
Prints out list of ipa users.
<br>
<br>
Expected:
<br>
kinit fails with <a class="moz-txt-link-rfc2396E" href="mailto:suser0@...notfoundinKerberosdatabase">"suser0@... not found in Kerberos
database"</a>
<br>
<br>
</blockquote>
Hi David,
<br>
<br>
Thank you so much for having looked at this patch :-)
<br>
You are right. The Staging users (as well as the Delete
users) are not
<br>
lockout in that patch.
<br>
The patch
<br>
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
will
<br>
take care of this.
<br>
<br>
Do you prefer that I merged the two patches right now ?
<br>
<br>
thanks
<br>
thierry
<br>
<br>
</blockquote>
<br>
Hi Thierry,
<br>
no, it is not necessary to merge the patches it's ok to have
it
<br>
separated. I'm not sure if the patch should be pushed now or
rather
<br>
wait and push it together with the others.
<br>
I'm looking forward to next ULC patches from you.
<br>
<br>
</blockquote>
<br>
<br>
Hi David,
<br>
<br>
Here are all the available patches.
<br>
I also attach a test script that is a kind of regression tests
that I am
<br>
using.
<br>
<br>
Thanks again
<br>
thierry
<br>
<br>
<br>
</blockquote>
<br>
Some issues I have found during a quick read of the patches:
<br>
<br>
<br>
Patch 0005:
<br>
<br>
1) This does nothing and can be safely removed:
<br>
<br>
+ def pre_callback(self, ldap, dn, *keys, **options):
<br>
+ assert isinstance(dn, DN)
<br>
+ return dn
<br>
<br>
<br>
2) stageuser_{mod,find,show} have a lot of code that seems to be
copy-pasted from user_{mod,find,show}. I would prefer if the code
was shared instead of copy-pasted, preferably in
baseuser_{mod,find,show}.
<br>
<br>
<br>
Patch 0006:
<br>
<br>
1) These do nothing and can be safely removed:
<br>
<br>
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options):
<br>
+ assert isinstance(dn, DN)
<br>
+ return dn
<br>
+
<br>
+ def post_callback(self, ldap, dn, entry_attrs, *keys,
**options):
<br>
+ assert isinstance(dn, DN)
<br>
+ return dn
<br>
<br>
<br>
2) You should use output.standard_entry for has_output, as you are
only returning one entry. Or you could add support for activating
multiple users at once.
<br>
<br>
<br>
3) IMO the "time to build the new entry" and "add the active
entry" parts should be done by calling user-add, so that the
(active) user creation routine is the same.
<br>
<br>
<br>
4) Please use a single line to separate method definitions in
classes.
<br>
<br>
<br>
Patch 008:
<br>
<br>
1) I guess you forgot to remove these:
<br>
<br>
+ self.log.error("====> user-add pre_callback 1 %s " %
dn)
<br>
<br>
+ self.log.error("====> user-add pre_callback %s " % dn)
<br>
<br>
<br>
2)
<br>
<br>
+ takes_options = LDAPDelete.takes_options + (
<br>
<br>
This should be "baseuser_del.takes_options + ...".
<br>
<br>
<br>
Honza
<br>
<br>
</blockquote>
<br>
Hello,<br>
<br>
<blockquote>This is the set of revisited patches for ULC. Here are
the changes done versus the previous patches<br>
</blockquote>
<blockquote>
<blockquote><tt>Patch 0005:</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser<br>
<br>
<br>
</tt></blockquote>
<tt>Patch 0006:</tt><tt><br>
</tt>
<blockquote><tt>Lock stage/delete users, add activated user into
ipausers, stageuser-activate process a single entry</tt><tt>
</tt><tt><br>
</tt></blockquote>
<tt><br>
</tt><tt>Patch 0007</tt><tt><br>
</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser, GID
number lost during activation</tt><tt><br>
</tt></blockquote>
<tt>
Patch 0008 </tt><tt><br>
</tt>
<blockquote><tt>user take_options from baseuser_del rather than
LDAPDelete</tt><tt><br>
</tt></blockquote>
<tt>Patch 0009</tt><tt><br>
</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser,
remove debug traces<br>
</tt></blockquote>
<tt>Patch 0010</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser,, add
undelete user into ipausers<br>
<br>
</tt></blockquote>
<tt>Patch 0011 (previous patch 0011 was merged in Patch 0006:
lockout stage/delete users)</tt><tt><br>
</tt>
<blockquote><tt>Change due to CSV<br>
<br>
</tt></blockquote>
<tt>Patch 0012 </tt><tt><br>
</tt>
<blockquote><tt>Change due to CSV, permission tests</tt><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote><font face="Times New Roman, Times, serif">It does not
take into account your request Honza to use 'user-add' command
when activating a user.<br>
I will work on that now and submit an other patch later for
that.<br>
<br>
Thanks<br>
thierry<br>
</font></blockquote>
<br>
<font face="Times New Roman, Times, serif"><br>
</font>
</body>
</html>