[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
thierry bordaz
tbordaz at redhat.com
Thu Aug 28 18:41:57 UTC 2014
On 08/28/2014 08:30 PM, Sumit Bose wrote:
> On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
>> On 08/28/2014 06:51 PM, Sumit Bose wrote:
>>> On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
>>>> Hello,
>>>>
>>>> Following Petr remarks from the previous review, I modified the
>>>> original fix to move it only in '.update' files.
>>>>
>>>> Thanks
>>>> thierry
>>>>
>>>> From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
>>>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>>>> Date: Thu, 7 Aug 2014 16:29:02 +0200
>>>> Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins
>>>>
>>>> User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
>>>> It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
>>>> containers needs to be created.
>>>> Active: cn=users,cn=accounts,$SUFFIX
>>>> Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>>>> Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
>>>>
>>>> Plugins scopes:
>>>> krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
>>>> cn=accounts,SUFFIX
>>>> cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
>>>> DNA:
>>>> cn=accounts,SUFFIX
>>> Hi Thierry,
>>>
>>> sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
>>> plugin. We need to generate a UID for the trusted domain objects as
>>> well which are stored in cn=trusts,SUFFIX. The reason is that AD
>>> expects to be able to connect with a special trusted domain account. We
>>> generate this account on the fly based on the data in the trusted domain
>>> object hence we need a UID here.
>>>
>>> Since it looks like dnaScope is a SINGLE-VALUE attribute I think
>>> dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
>>> different solution?
>>>
>>> bye,
>>> Sumit
>> Hello Sumit,
>>
>> Thank you so much for having reviewed this fix and your important
>> feedback !
>>
>> Yes I had the same fear to restrict DNA to 'accounts'. I opened
>> https://fedorahosted.org/389/ticket/47828
>> to allow to exclude a part of the DIT (here
>> 'cn=provisioning,SUFFIX') from the scope of DNA plugin.
>> Do you think it can address this concern ?
> Yes, in general this would fix the issue. I'm just wondering if it
> wouldn't be easier with respect to coding and management to make
> dnaScope a multi-value attribute?
>
> Additionally a fix for IPA master is needed to make trusts work again.
> Would it be possible to tweak the filter to skip objects in
> cn=provisioning? E.g. do those objects have the ipaObject objectclass?
Yes, stage entries have 'objectclass=ipaObject'.
Do you suggest to remove this oc from staged entries, so that the filter
will not match it ?. I have to check the impact of stage user not being
ipaObject.
thanks
thierry
>
> bye,
> Sumit
>
>> thanks
>> thierry
>>
>>>> Plugins exclude subtree:
>>>> IPA UUID, Referential Integrity, memberOf:
>>>> cn=provisioning,SUFFIX
>>>>
>>>> Reviewed-By: Petr Viktorin <pviktori at redhat.com>
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3813
>>>> ---
More information about the Freeipa-devel
mailing list