[Freeipa-devel] [PATCH 0061] Ensure ipaUserAuthTypeClass when needed on user creation
thierry bordaz
tbordaz at redhat.com
Wed Aug 20 14:03:28 UTC 2014
On 08/20/2014 03:48 PM, Nathaniel McCallum wrote:
> On Wed, 2014-08-20 at 14:35 +0200, thierry bordaz wrote:
>> On 08/19/2014 10:46 PM, Nathaniel McCallum wrote:
>>
>>> Also, remove the attempt to load the objectClasses when absent. This
>>> never makes sense during an add operation.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4455
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Hello Nathaniel,
>>
>> Reading the patch I have one novice remark. In the previous
>> code, 'objectclass' was added to 'entry_attr' in the case it
>> was missing in 'entry_attr' (at the condition
>> 'ipatokenradiusconfiglink' was defined). In the new code, if
>> 'objectclass' is missing it is not added. Is it ok ?
> I don't think objectClass is ever missing. It must be specified in an
> add operation. Attempting to load the attribute doesn't make sense when
> you are adding the object.
Yes I agree.
>
>> Also, regarding the 'user life cycle'. Staging users are
>> candidate to become Active users. I wonder if Staging users
>> should also contain your fix that add the
>> ipaUserAuthTypeClass.
> What code is this in?
Well it is not yet into master. stageuser plugin is still under review
(design is http://www.freeipa.org/page/V3/User_Life-Cycle_Management)
Now parts of stageuser_add code are close to user_add. When a stage user
is activated (stage user entry is move to Active container), it becomes
a full IPA user. This is why if a IPA user needs to be
'ipauserauthtypeclass' it impacts stage user. Either stageuser_add does
the same as user_add or stageuser_activate checks the need of
'ipauserauthtypeclass.
thanks
thierry
>
> Nathaniel
>
More information about the Freeipa-devel
mailing list