[Freeipa-devel] User life cycle: plugins scope for staged users

Simo Sorce simo at redhat.com
Thu May 29 18:24:34 UTC 2014 

On Thu, 2014-05-29 at 14:08 -0400, Dmitri Pal wrote:
> On 05/29/2014 02:17 AM, Martin Kosek wrote:
> > On 05/29/2014 04:09 AM, Dmitri Pal wrote:
> >> On 05/22/2014 10:33 AM, thierry bordaz wrote:
> >>> Hello,
> >>>
> >>>      In order to provision staged users (account inactivated) with
> >>>      there initial values:
> >>>
> >>>          /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
> >>>          -----------------
> >>>          Added user "tb20"
> >>>          -----------------
> >>>            User login: tb20
> >>>            First name: tb20
> >>>            Last name: tb20
> >>>            Full name: tb20 tb20
> >>>            Display name: tb20 tb20
> >>>            Initials: tt
> >>>            Home directory: /home/tb20
> >>>            GECOS: tb20 tb20
> >>>            Login shell: /bin/sh
> >>>            Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
> >>>            Email address: tb20 at idm.lab.bos.redhat.com
> >>>            UID: -1
> >>>            GID: -1
> >>>            Account disabled: true
> >>>            Password: False
> >>>            Kerberos keys available: False
> >>>
> >>>          ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
> >>>          -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
> >>>          dn: uid=tb20,cn=staged
> >>>          users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
> >>>           dc=redhat,dc=com
> >>>          displayName: tb20 tb20
> >>>          cn: tb20 tb20
> >>>          objectClass: top
> >>>          objectClass: person
> >>>          objectClass: organizationalperson
> >>>          objectClass: inetorgperson
> >>>          objectClass: inetuser
> >>>          objectClass: posixaccount
> >>>          objectClass: krbprincipalaux
> >>>          objectClass: krbticketpolicyaux
> >>>          objectClass: ipaobject
> >>>          objectClass: ipasshuser
> >>>          objectClass: ipaSshGroupOfPubKeys
> >>>          loginShell: /bin/sh
> >>>          uidNumber: -1
> >>>          ipaUniqueID: autogenerate
> >>>          gidNumber: -1
> >>>          gecos: tb20 tb20
> >>>          sn: tb20
> >>>          homeDirectory: /home/tb20
> >>>          uid: tb20
> >>>          mail: tb20 at idm.lab.bos.redhat.com
> >>>          krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
> >>>          givenName: tb20
> >>>          initials: tt
> >>>
> >>>      I needed to resctrict the scope of the following plugins:
> >>>
> >>>          dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
> >>>          nsslapd-pluginarg1:
> >>>          cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >>>
> >>>          dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
> >>>          ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >>>
> >>>          dn: cn=Posix IDs,cn=Distributed Numeric Assignment
> >>>          Plugin,cn=plugins,cn=config
> >>>          dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >>>
> >>>          dn: cn=MemberOf Plugin,cn=plugins,cn=config
> >>>          memberofentryscope:
> >>>          cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >>>
> >>>      In fact I need them to not modify the added entry when it is added
> >>>      under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
> >>>      Now is it possible to limit those plugins scope to the
> >>>      'cn=accounts' part of the tree ? I guess not.
> >>>      If it is not possible, a solution is to make the scope
> >>>      multi-valued attributes or to introduce a new config attribute
> >>>      '*notInScope' also multi-valued.
> >>>      A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
> >>>      'attribute uniqueness' plugin with a argv[ ], not really
> >>>      convenient to pass 2 multivalued attributes.
> >>>
> >>>      If anyone is having others solutions it would help me a lot :-)
> >>>
> >>>      thanks
> >>>      thierry
> >>>
> >>>
> >> The easiest solution IMO is to not treat staging area as an account area, i.e
> >> instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
> >> cn=staging, dc=...
> > Actually, this almost exactly the DN I wrote in the RFE:
> >
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management#User_status
> >
> > Proposed containers are:
> >
> > cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
> > cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
> >
> >> This way if in future we will have some staging for other objects (for whatever
> >> reason) we will create containers under common "staging" area.
> >> I would also argue that "deleted" should not be under accounts.
> > Agreed. This will also make the plugin configuration (tree exclusion) easier.
> >
> > Martin
> >
> I do not think so. My proposal is not to have staging under cn=accounts 
> because most of the plugins enforce uniqueness and other consistency 
> like DNA in the cn=account sub tree. Moving it out would move the 
> staging out of the scope of the plugins and plugin configuration would 
> not need to change.

Dmitri, I think you need to pay attention to the whole suffix :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list