[Freeipa-devel] User life cycle: plugins scope for staged users

Dmitri Pal dpal at redhat.com
Fri May 30 04:03:25 UTC 2014 

On 05/29/2014 02:24 PM, Simo Sorce wrote:
> On Thu, 2014-05-29 at 14:08 -0400, Dmitri Pal wrote:
>> On 05/29/2014 02:17 AM, Martin Kosek wrote:
>>> On 05/29/2014 04:09 AM, Dmitri Pal wrote:
>>>> On 05/22/2014 10:33 AM, thierry bordaz wrote:
>>>>> Hello,
>>>>>
>>>>>       In order to provision staged users (account inactivated) with
>>>>>       there initial values:
>>>>>
>>>>>           /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
>>>>>           -----------------
>>>>>           Added user "tb20"
>>>>>           -----------------
>>>>>             User login: tb20
>>>>>             First name: tb20
>>>>>             Last name: tb20
>>>>>             Full name: tb20 tb20
>>>>>             Display name: tb20 tb20
>>>>>             Initials: tt
>>>>>             Home directory: /home/tb20
>>>>>             GECOS: tb20 tb20
>>>>>             Login shell: /bin/sh
>>>>>             Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
>>>>>             Email address: tb20 at idm.lab.bos.redhat.com
>>>>>             UID: -1
>>>>>             GID: -1
>>>>>             Account disabled: true
>>>>>             Password: False
>>>>>             Kerberos keys available: False
>>>>>
>>>>>           ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
>>>>>           -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
>>>>>           dn: uid=tb20,cn=staged
>>>>>           users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
>>>>>            dc=redhat,dc=com
>>>>>           displayName: tb20 tb20
>>>>>           cn: tb20 tb20
>>>>>           objectClass: top
>>>>>           objectClass: person
>>>>>           objectClass: organizationalperson
>>>>>           objectClass: inetorgperson
>>>>>           objectClass: inetuser
>>>>>           objectClass: posixaccount
>>>>>           objectClass: krbprincipalaux
>>>>>           objectClass: krbticketpolicyaux
>>>>>           objectClass: ipaobject
>>>>>           objectClass: ipasshuser
>>>>>           objectClass: ipaSshGroupOfPubKeys
>>>>>           loginShell: /bin/sh
>>>>>           uidNumber: -1
>>>>>           ipaUniqueID: autogenerate
>>>>>           gidNumber: -1
>>>>>           gecos: tb20 tb20
>>>>>           sn: tb20
>>>>>           homeDirectory: /home/tb20
>>>>>           uid: tb20
>>>>>           mail: tb20 at idm.lab.bos.redhat.com
>>>>>           krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
>>>>>           givenName: tb20
>>>>>           initials: tt
>>>>>
>>>>>       I needed to resctrict the scope of the following plugins:
>>>>>
>>>>>           dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
>>>>>           nsslapd-pluginarg1:
>>>>>           cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>
>>>>>           dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
>>>>>           ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>
>>>>>           dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>>>>           Plugin,cn=plugins,cn=config
>>>>>           dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>
>>>>>           dn: cn=MemberOf Plugin,cn=plugins,cn=config
>>>>>           memberofentryscope:
>>>>>           cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>
>>>>>       In fact I need them to not modify the added entry when it is added
>>>>>       under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
>>>>>       Now is it possible to limit those plugins scope to the
>>>>>       'cn=accounts' part of the tree ? I guess not.
>>>>>       If it is not possible, a solution is to make the scope
>>>>>       multi-valued attributes or to introduce a new config attribute
>>>>>       '*notInScope' also multi-valued.
>>>>>       A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
>>>>>       'attribute uniqueness' plugin with a argv[ ], not really
>>>>>       convenient to pass 2 multivalued attributes.
>>>>>
>>>>>       If anyone is having others solutions it would help me a lot :-)
>>>>>
>>>>>       thanks
>>>>>       thierry
>>>>>
>>>>>
>>>> The easiest solution IMO is to not treat staging area as an account area, i.e
>>>> instead of cn=staging, cn=accounts, dc=... I suggest saving users in cn=users,
>>>> cn=staging, dc=...
>>> Actually, this almost exactly the DN I wrote in the RFE:
>>>
>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#User_status
>>>
>>> Proposed containers are:
>>>
>>> cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
>>> cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>>>
>>>> This way if in future we will have some staging for other objects (for whatever
>>>> reason) we will create containers under common "staging" area.
>>>> I would also argue that "deleted" should not be under accounts.
>>> Agreed. This will also make the plugin configuration (tree exclusion) easier.
>>>
>>> Martin
>>>
>> I do not think so. My proposal is not to have staging under cn=accounts
>> because most of the plugins enforce uniqueness and other consistency
>> like DNA in the cn=account sub tree. Moving it out would move the
>> staging out of the scope of the plugins and plugin configuration would
>> not need to change.
> Dmitri, I think you need to pay attention to the whole suffix :-)
>
> Simo.
>
@#$%^.
Mia Culpa. Missed the cn=provisioning part.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list