[Freeipa-devel] User life cycle: question regarding the design

Martin Kosek mkosek at redhat.com
Tue May 20 20:30:05 UTC 2014 

I am sharing the question below with the list as I think the information is 
useful and relevant for everyone interested in this feature. See answers in the 
text.

On 05/20/2014 06:26 PM, thierry bordaz wrote:
> Hello Martin, Petr,
>
>     I implemented 'user-add --to-stage' in a very simple way. Basically rather
>     than filling the 'accounts' container it fills the 'staged users' container.
>     It helped me to start digging into the code.
>
>     Now I am looking at details of this entry. Especially the attributes
>     present when the entry is in staging container. So far, the entry is
>     looking like:
>
>         ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w
>         Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb1
>         dn: uid=tb1,cn=staged
>         users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,d
>           c=redhat,dc=com
>         displayName: tb1 tb1
>         cn: tb1 tb1
>         objectClass: top
>         objectClass: person
>         objectClass: organizationalperson
>         objectClass: inetorgperson
>         objectClass: inetuser
>         objectClass: posixaccount
>         objectClass: krbprincipalaux
>         objectClass: krbticketpolicyaux
>         objectClass: ipaobject
>         objectClass: ipasshuser
>         objectClass: ipaSshGroupOfPubKeys
>         loginShell: /bin/sh
>         initials: tt
>         gecos: tb1 tb1
>         sn: tb1
>         homeDirectory: /home/tb1
>         uid: tb1
>         mail: tb1 at idm.lab.bos.redhat.com
>         krbPrincipalName: tb1 at IDM.LAB.BOS.REDHAT.COM
>         givenName: tb1
>         ipaUniqueID: 5556123c-e036-11e3-9915-001a4a104ecd
>         uidNumber: 646400005
>         gidNumber: 646400005
>         memberOf:
>         cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
>           com
>
>
>     As you can see it contains extra objectclasses and some attributes are set
>     (like uidNumber or gidNumber).
>     According to the design that the entry should rather look like:
>
>
>     dn: uid=tb1,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,d
>       c=redhat,dc=com
>     displayName: tb1 tb1
>     cn: tb1 tb1
>     objectClass: top
>     objectClass: organizationalperson
>     objectClass:krbprincipalaux
>     objectClass: posixaccount
>     loginShell: autogenerated
>     sn: tb1
>     homeDirectory: /home/tb1
>     uid: tb1
>     krbPrincipalName: tb1 at IDM.LAB.BOS.REDHAT.COM
>     uidNumber: -1
>     gidNumber: -1
>
>     Is that correct ?

user-add sets the uidNumber and gidNumber to -1, meaning that these numbers 
should be autogenerated by a plugin. If the plugin scope is updated according 
to design to disregard staging users container, the number should stay -1 until 
the entry is really moved to active users container.

The same applies for ipaUniqueId, just the generation triggering text is 
"autogenerate".


>     Then when the entry get activated ('ipa user-activate tb1 --from-stage), we
>     should have the attribute being generated
>     uidNumber/gidNumber/ipaUniqueId... My understanding is that those
>     attributes should be generate by DS plugins when the entry is moved to
>     'accounts' container. So playing with plugin scope would help to have
>     staged users without all these attributes and 'accounts' users with them.

Right.

>
>     What is not clear to me is the chapter related to the 'placeholders'. My
>     understanding is that it should be a kind of template defining how to fill
>     attribute values. I am looking for some code/doc dealing with placeholders
>     but I do not know where to start from. Do you know any pointers on this.

I tried to write down the reasons for using placeholders in this section:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Placeholders

Placeholder allows provisioning systems to specify only some attributes of for 
example posixAccount objectclass while not having to fill all the MUST attributes.

I think the example with filled "homeDirectory: /home/tuser" tells it all - 
homeDirectory is filled, other attributes are left for FreeIPA to generate 
based on it's settings.

As for UID and GID, you do not need to do anything - "-1" already means 
autogenerate the values. Attributes not controlled by a plugin needs to be 
controlled by the command that moves user from staging users to active users - 
following list shows how should be the values generated:

http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Placeholder_Definition

HTH,
Martin

More information about the Freeipa-devel mailing list