[Freeipa-devel] User life cycle: plugins scope for staged users
Dmitri Pal
dpal at redhat.com
Thu May 29 18:08:42 UTC 2014
On 05/29/2014 02:17 AM, Martin Kosek wrote:
> On 05/29/2014 04:09 AM, Dmitri Pal wrote:
>> On 05/22/2014 10:33 AM, thierry bordaz wrote:
>>> Hello,
>>>
>>> In order to provision staged users (account inactivated) with
>>> there initial values:
>>>
>>> /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
>>> -----------------
>>> Added user "tb20"
>>> -----------------
>>> User login: tb20
>>> First name: tb20
>>> Last name: tb20
>>> Full name: tb20 tb20
>>> Display name: tb20 tb20
>>> Initials: tt
>>> Home directory: /home/tb20
>>> GECOS: tb20 tb20
>>> Login shell: /bin/sh
>>> Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
>>> Email address: tb20 at idm.lab.bos.redhat.com
>>> UID: -1
>>> GID: -1
>>> Account disabled: true
>>> Password: False
>>> Kerberos keys available: False
>>>
>>> ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
>>> -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
>>> dn: uid=tb20,cn=staged
>>> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
>>> dc=redhat,dc=com
>>> displayName: tb20 tb20
>>> cn: tb20 tb20
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalperson
>>> objectClass: inetorgperson
>>> objectClass: inetuser
>>> objectClass: posixaccount
>>> objectClass: krbprincipalaux
>>> objectClass: krbticketpolicyaux
>>> objectClass: ipaobject
>>> objectClass: ipasshuser
>>> objectClass: ipaSshGroupOfPubKeys
>>> loginShell: /bin/sh
>>> uidNumber: -1
>>> ipaUniqueID: autogenerate
>>> gidNumber: -1
>>> gecos: tb20 tb20
>>> sn: tb20
>>> homeDirectory: /home/tb20
>>> uid: tb20
>>> mail: tb20 at idm.lab.bos.redhat.com
>>> krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
>>> givenName: tb20
>>> initials: tt
>>>
>>> I needed to resctrict the scope of the following plugins:
>>>
>>> dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
>>> nsslapd-pluginarg1:
>>> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>
>>> dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
>>> ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>> dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>
>>> dn: cn=MemberOf Plugin,cn=plugins,cn=config
>>> memberofentryscope:
>>> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>
>>> In fact I need them to not modify the added entry when it is added
>>> under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
>>> Now is it possible to limit those plugins scope to the
>>> 'cn=accounts' part of the tree ? I guess not.
>>> If it is not possible, a solution is to make the scope
>>> multi-valued attributes or to introduce a new config attribute
>>> '*notInScope' also multi-valued.
>>> A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
>>> 'attribute uniqueness' plugin with a argv[ ], not really
>>> convenient to pass 2 multivalued attributes.
>>>
>>> If anyone is having others solutions it would help me a lot :-)
>>>
>>> thanks
>>> thierry
>>>
>>>
>> The easiest solution IMO is to not treat staging area as an account area, i.e
>> instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
>> cn=staging, dc=...
> Actually, this almost exactly the DN I wrote in the RFE:
>
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#User_status
>
> Proposed containers are:
>
> cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
> cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>
>> This way if in future we will have some staging for other objects (for whatever
>> reason) we will create containers under common "staging" area.
>> I would also argue that "deleted" should not be under accounts.
> Agreed. This will also make the plugin configuration (tree exclusion) easier.
>
> Martin
>
I do not think so. My proposal is not to have staging under cn=accounts
because most of the plugins enforce uniqueness and other consistency
like DNA in the cn=account sub tree. Moving it out would move the
staging out of the scope of the plugins and plugin configuration would
not need to change.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list