[Freeipa-devel] Supported Staged entries
Jan Cholasta
jcholast at redhat.com
Tue May 27 09:53:23 UTC 2014
On 27.5.2014 11:14, thierry bordaz wrote:
> Hello,
>
> Me again !!!
>
> Thanks to all your inputs, the discussion about User_life_cycle
> clarified a lot workflow/command verbs.
>
> Now I have a doubt about what would be an entry in staging
> (objectclass/attribute). Also I wonder if ipa CLI (ipa user-add
> --stage), would be the only support way to create stage entry.
>
> An active entry is looking like (with krb* attributes if the
> userpassword is defined):
>
> dn:
> uid=tb17,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> displayName: tb15 tb15
> cn: tb15 tb15
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> gecos: tb15 tb15
> sn: tb15
> homeDirectory: /home/tb17
> uid: tb17
> mail: tb17 at idm.lab.bos.redhat.com
> krbPrincipalName: tb17 at IDM.LAB.BOS.REDHAT.COM
> givenName: tb15
> initials: tt
> ipaUniqueID: 3f1b5cce-e1b8-11e3-86fe-001a4a104ecd
> uidNumber: 646400009
> gidNumber: 646400009
> mepManagedEntry:
> cn=tb17,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,
> dc=com
> memberOf:
> cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=
> com
> nsAccountLock: False
>
>
> A staged entry created by 'ipa user-add --stage' may look like the
> following. This kind of entry is easy to activate 'ipa user-unstage'
>
> dn: uid=tb20,cn=staged
> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
> dc=redhat,dc=com
> displayName: tb20 tb20
> cn: tb20 tb20
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> loginShell: /bin/sh
> uidNumber: -1
> ipaUniqueID: autogenerate
> gidNumber: -1
> gecos: tb20 tb20
> sn: tb20
> homeDirectory: /home/tb20
> uid: tb20
> mail: tb20 at idm.lab.bos.redhat.com
> krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
> givenName: tb20
> initials: tt
> nsAccountLock: True
>
> Now are we going to support the following entries for 'ipa user-unstage'
>
> dn: cn=tb20,cn=staged
> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
> dc=redhat,dc=com
> objectClass: top
> objectClass: person
> sn: tb20
> cn: tb20
> nsAccountLock: True
>
> or
>
> dn: uid=tb20,cn=staged
> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
> dc=redhat,dc=com
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> sn: tb20
> cn: tb20 tb20
> uid: tb20
> uidNumber: -1
> gidNumber: -1
> homeDirectory: /home/tb20
> nsAccountLock: True
>
>
> thanks
> thierry
IIUC unstaging a user will do something like this:
staged_user = ldap.get_entry(staged_dn, ['*'])
api.Command.user_add(**staged_user)
So IMO virtually any kind of entry should be supported in the staging tree.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list