[Freeipa-devel] User life cycle: question regarding the design
Alexander Bokovoy
abokovoy at redhat.com
Mon May 26 08:58:34 UTC 2014
On Mon, 26 May 2014, Martin Kosek wrote:
>On 05/26/2014 09:33 AM, Jan Cholasta wrote:
>> On 26.5.2014 07:49, Martin Kosek wrote:
>...
>>> > 5) modifying
>>> > (in active) ipa user-mod tuser ...
>>>
>>> Ok.
>>>
>>> > (in stage) ipa user-mod tuser --staged ...
>>>
>>> Simo did not like this command, I would personally add it. As long as we
>>> have "ipa user-add --staged", we should also have an option to delete
>>> and modify user in staged area.
>>
>> +1
>>
>>>
>>> > (in del) ipa user-mod tuser --deleted ...
>>>
>>> Not needed.
>>>
>>> Is this acceptable for everyone? If yes, the next step would be for
>>> Thierry to update the design page with new proposals.
>>>
>>> Martin
>>
>> Are users in different containers using the same uid allowed?
>
>Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe
>left and is now in deleted accounts tree. Jane Doe joins the company now and
>question is - do we want to allow Jane taking the same uid as John had? I am
>thinking we should not allow that. Maybe we should allow override with --force
>or having a global option.
This is pretty much a company policy thing. Not everyone will even want
to have this workflow implemented and even if they would, a policy to
keep the same uid (as opposed to uidNumber) is a separate one.
Thus, I'd rather have it optional with --force or get uid transformed to
uid=deleted+jdoe,cn=users... and given a way to handle conflicts when
getting deleted uids resurrected.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list