[Freeipa-devel] User life cycle: plugins scope for staged users
Martin Kosek
mkosek at redhat.com
Thu May 29 06:17:25 UTC 2014
On 05/29/2014 04:09 AM, Dmitri Pal wrote:
> On 05/22/2014 10:33 AM, thierry bordaz wrote:
>> Hello,
>>
>> In order to provision staged users (account inactivated) with
>> there initial values:
>>
>> /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
>> -----------------
>> Added user "tb20"
>> -----------------
>> User login: tb20
>> First name: tb20
>> Last name: tb20
>> Full name: tb20 tb20
>> Display name: tb20 tb20
>> Initials: tt
>> Home directory: /home/tb20
>> GECOS: tb20 tb20
>> Login shell: /bin/sh
>> Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
>> Email address: tb20 at idm.lab.bos.redhat.com
>> UID: -1
>> GID: -1
>> Account disabled: true
>> Password: False
>> Kerberos keys available: False
>>
>> ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
>> -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
>> dn: uid=tb20,cn=staged
>> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
>> dc=redhat,dc=com
>> displayName: tb20 tb20
>> cn: tb20 tb20
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: ipasshuser
>> objectClass: ipaSshGroupOfPubKeys
>> loginShell: /bin/sh
>> uidNumber: -1
>> ipaUniqueID: autogenerate
>> gidNumber: -1
>> gecos: tb20 tb20
>> sn: tb20
>> homeDirectory: /home/tb20
>> uid: tb20
>> mail: tb20 at idm.lab.bos.redhat.com
>> krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
>> givenName: tb20
>> initials: tt
>>
>> I needed to resctrict the scope of the following plugins:
>>
>> dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
>> nsslapd-pluginarg1:
>> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>
>> dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
>> ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>
>> dn: cn=MemberOf Plugin,cn=plugins,cn=config
>> memberofentryscope:
>> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>
>> In fact I need them to not modify the added entry when it is added
>> under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
>> Now is it possible to limit those plugins scope to the
>> 'cn=accounts' part of the tree ? I guess not.
>> If it is not possible, a solution is to make the scope
>> multi-valued attributes or to introduce a new config attribute
>> '*notInScope' also multi-valued.
>> A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
>> 'attribute uniqueness' plugin with a argv[ ], not really
>> convenient to pass 2 multivalued attributes.
>>
>> If anyone is having others solutions it would help me a lot :-)
>>
>> thanks
>> thierry
>>
>>
>
> The easiest solution IMO is to not treat staging area as an account area, i.e
> instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
> cn=staging, dc=...
Actually, this almost exactly the DN I wrote in the RFE:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management#User_status
Proposed containers are:
cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
> This way if in future we will have some staging for other objects (for whatever
> reason) we will create containers under common "staging" area.
> I would also argue that "deleted" should not be under accounts.
Agreed. This will also make the plugin configuration (tree exclusion) easier.
Martin
More information about the Freeipa-devel
mailing list