[Freeipa-devel] User life cycle: question regarding the design
Martin Kosek
mkosek at redhat.com
Mon May 26 08:18:11 UTC 2014
On 05/26/2014 09:33 AM, Jan Cholasta wrote:
> On 26.5.2014 07:49, Martin Kosek wrote:
...
>> > 5) modifying
>> > (in active) ipa user-mod tuser ...
>>
>> Ok.
>>
>> > (in stage) ipa user-mod tuser --staged ...
>>
>> Simo did not like this command, I would personally add it. As long as we
>> have "ipa user-add --staged", we should also have an option to delete
>> and modify user in staged area.
>
> +1
>
>>
>> > (in del) ipa user-mod tuser --deleted ...
>>
>> Not needed.
>>
>> Is this acceptable for everyone? If yes, the next step would be for
>> Thierry to update the design page with new proposals.
>>
>> Martin
>
> Are users in different containers using the same uid allowed?
Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe
left and is now in deleted accounts tree. Jane Doe joins the company now and
question is - do we want to allow Jane taking the same uid as John had? I am
thinking we should not allow that. Maybe we should allow override with --force
or having a global option.
Another related topic is - do we want to enforce staged user to always have UID
RDN? Isn't that limiting? When writing
http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Create_a_User_-_by_provisioning_system
I proposed that we should also be able to unstage a minimal record like this:
dn: cn=Test User,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
objectClass: top
objectClass: organizationalperson
cn: Test User
sn: User
nsAccountLock: True
> If not, do we need the --staged/--deleted flags on anything but
> user-add/user-find?
I see your point, but I think we should make admins to be very explicit when
manipulating users any area other than the active users area. As Simo noted,
these are not real users, just incomplete user records.
Martin
More information about the Freeipa-devel
mailing list