[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
Sumit Bose
sbose at redhat.com
Thu Aug 28 16:51:21 UTC 2014
On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
> Hello,
>
> Following Petr remarks from the previous review, I modified the
> original fix to move it only in '.update' files.
>
> Thanks
> thierry
>
> From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
> Date: Thu, 7 Aug 2014 16:29:02 +0200
> Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins
>
> User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
> It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
> containers needs to be created.
> Active: cn=users,cn=accounts,$SUFFIX
> Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
> Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
>
> Plugins scopes:
> krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
> cn=accounts,SUFFIX
> cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
> DNA:
> cn=accounts,SUFFIX
Hi Thierry,
sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
plugin. We need to generate a UID for the trusted domain objects as
well which are stored in cn=trusts,SUFFIX. The reason is that AD
expects to be able to connect with a special trusted domain account. We
generate this account on the fly based on the data in the trusted domain
object hence we need a UID here.
Since it looks like dnaScope is a SINGLE-VALUE attribute I think
dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
different solution?
bye,
Sumit
>
> Plugins exclude subtree:
> IPA UUID, Referential Integrity, memberOf:
> cn=provisioning,SUFFIX
>
> Reviewed-By: Petr Viktorin <pviktori at redhat.com>
>
> https://fedorahosted.org/freeipa/ticket/3813
> ---
More information about the Freeipa-devel
mailing list