[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

Sumit Bose sbose at redhat.com
Thu Aug 28 18:58:00 UTC 2014 

On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote:
> On 08/28/2014 08:30 PM, Sumit Bose wrote:
> >On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
> >>On 08/28/2014 06:51 PM, Sumit Bose wrote:
> >>>On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
> >>>>Hello,
> >>>>
> >>>>    Following Petr remarks from the previous review, I modified the
> >>>>    original fix to move it only in '.update' files.
> >>>>
> >>>>    Thanks
> >>>>    thierry
> >>>>
> >>>> From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
> >>>>From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
> >>>>Date: Thu, 7 Aug 2014 16:29:02 +0200
> >>>>Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins
> >>>>
> >>>>User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
> >>>>It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
> >>>>containers needs to be created.
> >>>>		Active: cn=users,cn=accounts,$SUFFIX
> >>>>		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
> >>>>		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
> >>>>
> >>>>Plugins scopes:
> >>>>		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
> >>>>			cn=accounts,SUFFIX
> >>>>			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
> >>>>		DNA:
> >>>>			cn=accounts,SUFFIX
> >>>Hi Thierry,
> >>>
> >>>sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
> >>>plugin. We need to generate a UID for the trusted domain objects as
> >>>well which are stored in cn=trusts,SUFFIX. The reason is that AD
> >>>expects to be able to connect with a special trusted domain account. We
> >>>generate this account on the fly based on the data in the trusted domain
> >>>object hence we need a UID here.
> >>>
> >>>Since it looks like dnaScope is a SINGLE-VALUE attribute I think
> >>>dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
> >>>different solution?
> >>>
> >>>bye,
> >>>Sumit
> >>Hello Sumit,
> >>
> >>    Thank you so much for having reviewed this fix and your important
> >>    feedback !
> >>
> >>    Yes I had the same fear to restrict DNA to 'accounts'. I opened
> >>    https://fedorahosted.org/389/ticket/47828
> >>    to allow to exclude a part of the DIT (here
> >>    'cn=provisioning,SUFFIX') from the scope of DNA plugin.
> >>    Do you think it can address this concern  ?
> >Yes, in general this would fix the issue. I'm just wondering if it
> >wouldn't be easier with respect to coding and management to make
> >dnaScope a multi-value attribute?
> >
> >Additionally a fix for IPA master is needed to make trusts work again.
> >Would it be possible to tweak the filter to skip objects in
> >cn=provisioning? E.g. do those objects have the ipaObject objectclass?
> Yes, stage entries have 'objectclass=ipaObject'.
> Do you suggest to remove this oc from staged entries, so that the filter
> will not match it ?. I have to check the impact of stage user not being
> ipaObject.

no, it was just a suggestion. Maybe we can use entryDN like:

(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*)))

bye,
Sumit

> 
> thanks
> thierry
> >
> >bye,
> >Sumit
> >
> >>    thanks
> >>    thierry
> >>
> >>>>		Plugins exclude subtree:
> >>>>		IPA UUID, Referential Integrity, memberOf:
> >>>>			cn=provisioning,SUFFIX
> >>>>
> >>>>Reviewed-By: Petr Viktorin <pviktori at redhat.com>
> >>>>
> >>>>https://fedorahosted.org/freeipa/ticket/3813
> >>>>---
>

More information about the Freeipa-devel mailing list