[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

thierry bordaz tbordaz at redhat.com
Thu Aug 28 17:26:51 UTC 2014 

On 08/28/2014 06:51 PM, Sumit Bose wrote:
> On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
>> Hello,
>>
>>     Following Petr remarks from the previous review, I modified the
>>     original fix to move it only in '.update' files.
>>
>>     Thanks
>>     thierry
>>
>>  From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>> Date: Thu, 7 Aug 2014 16:29:02 +0200
>> Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins
>>
>> User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
>> It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
>> containers needs to be created.
>> 		Active: cn=users,cn=accounts,$SUFFIX
>> 		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>> 		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
>>
>> Plugins scopes:
>> 		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
>> 			cn=accounts,SUFFIX
>> 			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
>> 		DNA:
>> 			cn=accounts,SUFFIX
> Hi Thierry,
>
> sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
> plugin. We need to generate a UID for the trusted domain objects as
> well which are stored in cn=trusts,SUFFIX. The reason is that AD
> expects to be able to connect with a special trusted domain account. We
> generate this account on the fly based on the data in the trusted domain
> object hence we need a UID here.
>
> Since it looks like dnaScope is a SINGLE-VALUE attribute I think
> dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
> different solution?
>
> bye,
> Sumit

Hello Sumit,

    Thank you so much for having reviewed this fix and your important
    feedback !

    Yes I had the same fear to restrict DNA to 'accounts'. I opened
    https://fedorahosted.org/389/ticket/47828
    to allow to exclude a part of the DIT (here
    'cn=provisioning,SUFFIX') from the scope of DNA plugin.
    Do you think it can address this concern  ?

    thanks
    thierry

>
>> 		Plugins exclude subtree:
>> 		IPA UUID, Referential Integrity, memberOf:
>> 			cn=provisioning,SUFFIX
>>
>> Reviewed-By: Petr Viktorin <pviktori at redhat.com>
>>
>> https://fedorahosted.org/freeipa/ticket/3813
>> ---

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140828/4be86aaf/attachment.htm>

More information about the Freeipa-devel mailing list