<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/12/2015 02:17 PM, thierry bordaz
wrote:<br>
</div>
<blockquote cite="mid:5551EF3E.1060503@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/05/2015 08:57 AM, Jan Cholasta
wrote:<br>
</div>
<blockquote cite="mid:554869C3.2040509@redhat.com" type="cite">Hi,
<br>
<br>
Dne 28.4.2015 v 16:40 thierry bordaz napsal(a): <br>
<blockquote type="cite">On 04/28/2015 10:40 AM, David Kupka
wrote: <br>
<blockquote type="cite">On 04/28/2015 10:28 AM, thierry bordaz
wrote: <br>
<blockquote type="cite">On 04/28/2015 10:23 AM, David Kupka
wrote: <br>
<blockquote type="cite">On 04/16/2015 01:00 PM, thierry
bordaz wrote: <br>
<blockquote type="cite">Hello, <br>
<br>
Here is the next patch for User life cycle that
introduces <br>
del/mod/find and show stageuser plugin commands. <br>
<br>
* 0000-User Life Cycle (create containers and
scoping DS plugins): <br>
*pushed* <br>
*
0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch:
<br>
*pushed* <br>
* 0002-User-life-cycle-stageuser-add-verb.patch:
*pushed* <br>
*
0007-User-life-cycle-allows-MODRDN-from-ldap2.patch:
*pushed* <br>
*
0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under
<br>
review *(this one)** <br>
*
0004-User-life-cycle-new-stageuser-commands-activate.patch
<br>
*
0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
<br>
*
0006-User-life-cycle-user-del-supports-permanently-preser.patch
<br>
*
0008-User-life-cycle-user-find-support-finding-delete-use.patch
<br>
* 0009-User-life-cycle-support-of-user-undel.patch <br>
*
0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch
<br>
*
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
<br>
*
0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch
<br>
*
0013-User-life-cycle-Stage-Admin-permission-priviledge.patch
<br>
<br>
Thanks <br>
thierry <br>
<br>
<br>
<br>
<br>
</blockquote>
Hi Thierry, <br>
thanks for the patch, the code looks good to me but
there is probably <br>
a bug in ACIs. <br>
After creating a stage user and setting password for him
I can kinit <br>
as the stage user. I'm unable to login to the IPA client
and id <br>
command for this stage user responds "no such user" but
I can kinit <br>
and invoke ipa commands. <br>
<br>
Steps: <br>
0. build freeipa with your patch <br>
1. # ipa-server-install <br>
2. $ kinit admin <br>
3. $ ipa stageuser-add suser0 --first Stage --last User
--password <br>
4. $ kdestroy <br>
5. $ kinit suser0 <br>
6. $ ipa user-find <br>
<br>
Actual: <br>
Prints out list of ipa users. <br>
<br>
Expected: <br>
kinit fails with <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:suser0@...notfoundinKerberosdatabase">"suser0@...
not found in Kerberos database"</a> <br>
<br>
</blockquote>
Hi David, <br>
<br>
Thank you so much for having looked at this patch :-) <br>
You are right. The Staging users (as well as the Delete
users) are not <br>
lockout in that patch. <br>
The patch <br>
0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
will <br>
take care of this. <br>
<br>
Do you prefer that I merged the two patches right now ? <br>
<br>
thanks <br>
thierry <br>
<br>
</blockquote>
<br>
Hi Thierry, <br>
no, it is not necessary to merge the patches it's ok to have
it <br>
separated. I'm not sure if the patch should be pushed now or
rather <br>
wait and push it together with the others. <br>
I'm looking forward to next ULC patches from you. <br>
<br>
</blockquote>
<br>
<br>
Hi David, <br>
<br>
Here are all the available patches. <br>
I also attach a test script that is a kind of regression tests
that I am <br>
using. <br>
<br>
Thanks again <br>
thierry <br>
<br>
<br>
</blockquote>
<br>
Some issues I have found during a quick read of the patches: <br>
<br>
<br>
Patch 0005: <br>
<br>
1) This does nothing and can be safely removed: <br>
<br>
+ def pre_callback(self, ldap, dn, *keys, **options): <br>
+ assert isinstance(dn, DN) <br>
+ return dn <br>
<br>
<br>
2) stageuser_{mod,find,show} have a lot of code that seems to be
copy-pasted from user_{mod,find,show}. I would prefer if the
code was shared instead of copy-pasted, preferably in
baseuser_{mod,find,show}. <br>
<br>
<br>
Patch 0006: <br>
<br>
1) These do nothing and can be safely removed: <br>
<br>
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
*keys, **options): <br>
+ assert isinstance(dn, DN) <br>
+ return dn <br>
+ <br>
+ def post_callback(self, ldap, dn, entry_attrs, *keys,
**options): <br>
+ assert isinstance(dn, DN) <br>
+ return dn <br>
<br>
<br>
2) You should use output.standard_entry for has_output, as you
are only returning one entry. Or you could add support for
activating multiple users at once. <br>
<br>
<br>
3) IMO the "time to build the new entry" and "add the active
entry" parts should be done by calling user-add, so that the
(active) user creation routine is the same. <br>
<br>
<br>
4) Please use a single line to separate method definitions in
classes. <br>
<br>
<br>
Patch 008: <br>
<br>
1) I guess you forgot to remove these: <br>
<br>
+ self.log.error("====> user-add pre_callback 1 %s " %
dn) <br>
<br>
+ self.log.error("====> user-add pre_callback %s " %
dn) <br>
<br>
<br>
2) <br>
<br>
+ takes_options = LDAPDelete.takes_options + ( <br>
<br>
This should be "baseuser_del.takes_options + ...". <br>
<br>
<br>
Honza <br>
<br>
</blockquote>
<br>
Hello,<br>
<br>
<blockquote>This is the set of revisited patches for ULC. Here are
the changes done versus the previous patches<br>
</blockquote>
<blockquote>
<blockquote><tt>Patch 0005:</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser<br>
<br>
<br>
</tt></blockquote>
<tt>Patch 0006:</tt><tt><br>
</tt>
<blockquote><tt>Lock stage/delete users, add activated user
into ipausers, stageuser-activate process a single entry</tt><tt>
</tt><tt><br>
</tt></blockquote>
<tt><br>
</tt><tt>Patch 0007</tt><tt><br>
</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser, GID
number lost during activation</tt><tt><br>
</tt></blockquote>
<tt> Patch 0008 </tt><tt><br>
</tt>
<blockquote><tt>user take_options from baseuser_del rather
than LDAPDelete</tt><tt><br>
</tt></blockquote>
<tt>Patch 0009</tt><tt><br>
</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser,
remove debug traces<br>
</tt></blockquote>
<tt>Patch 0010</tt><tt><br>
</tt>
<blockquote><tt>Refactoring stageuser+user => baseuser,,
add undelete user into ipausers<br>
<br>
</tt></blockquote>
<tt>Patch 0011 (previous patch 0011 was merged in Patch 0006:
lockout stage/delete users)</tt><tt><br>
</tt>
<blockquote><tt>Change due to CSV<br>
<br>
</tt></blockquote>
<tt>Patch 0012 </tt><tt><br>
</tt>
<blockquote><tt>Change due to CSV, permission tests</tt><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote><font face="Times New Roman, Times, serif">It does not
take into account your request Honza to use 'user-add' command
when activating a user.<br>
I will work on that now and submit an other patch later for
that.<br>
<br>
Thanks<br>
thierry<br>
</font></blockquote>
<br>
<font face="Times New Roman, Times, serif"><br>
</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">IPA_API_VERSION_MINOR was
invalid in the first patch 0005. I am sorry for that.</font><br>
<font face="Times New Roman, Times, serif"><br>
Here is the next set of patches. Only patch 0005 differs from my
previous email</font><br>
<br>
<font face="Times New Roman, Times, serif">thanks<br>
thierry</font><br>
</body>
</html>