[Freeipa-devel] User life cycle: question regarding the design

thierry bordaz tbordaz at redhat.com
Mon May 26 08:52:13 UTC 2014 

On 05/26/2014 10:18 AM, Martin Kosek wrote:
> On 05/26/2014 09:33 AM, Jan Cholasta wrote:
>> On 26.5.2014 07:49, Martin Kosek wrote:
> ...
>>>   > 5) modifying
>>>   > (in active)   ipa user-mod tuser ...
>>>
>>> Ok.
>>>
>>>   > (in stage)    ipa user-mod tuser --staged ...
>>>
>>> Simo did not like this command, I would personally add it. As long as we
>>> have "ipa user-add --staged", we should also have an option to delete
>>> and modify user in staged area.
>> +1
>>
>>>   > (in del)      ipa user-mod tuser --deleted ...
>>>
>>> Not needed.
>>>
>>> Is this acceptable for everyone? If yes, the next step would be for
>>> Thierry to update the design page with new proposals.
>>>
>>> Martin
>> Are users in different containers using the same uid allowed?
> Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe
> left and is now in deleted accounts tree. Jane Doe joins the company now and
> question is - do we want to allow Jane taking the same uid as John had? I am
> thinking we should not allow that. Maybe we should allow override with --force
> or having a global option.


I agree, 'John Doe' should keep its uid and 'Jane Doe' should pickup a 
different one.

So that means attribute uniqueness scope should covers the differents 
containers (stage, delete, active) and likely all the DIT.
But then for  generated attributes (like 'ipaUniqueid') it is a problem 
because in 'stage' most/all entries will have 'ipaUniqueId: generate'.
So for such attributes, 'stage' container should be excluded from the scope.
If 'ipa user-mod --stage' is allowed to modify ipaUniqueiD, uniqueness 
will not be enforced.

>
> Another related topic is - do we want to enforce staged user to always have UID
> RDN? Isn't that limiting? When writing
>
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Create_a_User_-_by_provisioning_system
>
> I proposed that we should also be able to unstage a minimal record like this:
>
> dn: cn=Test User,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
> objectClass: top
> objectClass: organizationalperson
> cn: Test User
> sn: User
> nsAccountLock: True
>
>> If not, do we need the --staged/--deleted flags on anything but
>> user-add/user-find?
> I see your point, but I think we should make admins to be very explicit when
> manipulating users any area other than the active users area. As Simo noted,
> these are not real users, just incomplete user records.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list