[Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands

David Kupka dkupka at redhat.com
Tue Apr 28 08:40:14 UTC 2015 

On 04/28/2015 10:28 AM, thierry bordaz wrote:
> On 04/28/2015 10:23 AM, David Kupka wrote:
>> On 04/16/2015 01:00 PM, thierry bordaz wrote:
>>> Hello,
>>>
>>>     Here is the next patch for User life cycle that introduces
>>>     del/mod/find and show stageuser plugin commands.
>>>
>>>   * 0000-User Life Cycle (create containers and scoping  DS plugins):
>>>     *pushed*
>>>   * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch:
>>>     *pushed*
>>>   * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed*
>>>   * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed*
>>>   * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under
>>>     review *(this one)**
>>>   * 0004-User-life-cycle-new-stageuser-commands-activate.patch
>>>   * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
>>>   * 0006-User-life-cycle-user-del-supports-permanently-preser.patch
>>>   * 0008-User-life-cycle-user-find-support-finding-delete-use.patch
>>>   * 0009-User-life-cycle-support-of-user-undel.patch
>>>   * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch
>>>   * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch
>>>   * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch
>>>   * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch
>>>
>>> Thanks
>>> thierry
>>>
>>>
>>>
>>>
>> Hi Thierry,
>> thanks for the patch, the code looks good to me but there is probably
>> a bug in ACIs.
>> After creating a stage user and setting password for him I can kinit
>> as the stage user. I'm unable to login to the IPA client and id
>> command for this stage user responds "no such user" but I can kinit
>> and invoke ipa commands.
>>
>> Steps:
>> 0. build freeipa with your patch
>> 1. # ipa-server-install
>> 2. $ kinit admin
>> 3. $ ipa stageuser-add suser0 --first Stage --last User --password
>> 4. $ kdestroy
>> 5. $ kinit suser0
>> 6. $ ipa user-find
>>
>> Actual:
>> Prints out list of ipa users.
>>
>> Expected:
>> kinit fails with "suser0 at ... not found in Kerberos database"
>>
> Hi David,
>
> Thank you so much for having looked at this patch :-)
> You are right. The Staging users (as well as the Delete users) are not
> lockout in that patch.
> The patch
> 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will
> take care of this.
>
> Do you prefer that I merged the two patches right now ?
>
> thanks
> thierry
>

Hi Thierry,
no, it is not necessary to merge the patches it's ok to have it 
separated. I'm not sure if the patch should be pushed now or rather wait 
and push it together with the others.
I'm looking forward to next ULC patches from you.

-- 
David Kupka

More information about the Freeipa-devel mailing list