<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Times New Roman, Times, serif">Hello,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Thanks for
all you feedbacks and help about which attributes to preserved
and how to limit authentication (simple and krb) to Active
accounts, here are my understandings:<br>
<br>
</font>
<ol>
<li><font face="Times New Roman, Times, serif">Staging
(container: cn=staged
users,cn=accounts,cn=provisioning,SUFFIX)<br>
plugins scoping Staging:</font><br>
<ul>
<li><font face="Times New Roman, Times, serif"><font
face="Times New Roman, Times, serif">ipa_pwd_extop
(kerberos keys generated)</font></font></li>
</ul>
<font face="Times New Roman, Times, serif">In order to prevent
simple bind, there is pre-bind plugin or cos (nsAccoutLock:
True).<br>
<br>
</font></li>
<ul>
<li><font face="Times New Roman, Times, serif">provisioning
constraints - no constraint when creating an entry<br>
but to be activated the entries in that container must
have:</font></li>
<ul>
<li><font face="Times New Roman, Times, serif"> 'uid' RDN</font></li>
<li><font face="Times New Roman, Times, serif">have OC:
posixaccount, ipaObject (MUST: cn, uid, uidNumber,
gidNumber, homedirectory, ipaUniqueID)</font></li>
</ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-add <login><br>
It creates a stage entry with</font></li>
</ul>
</ol>
<blockquote>
<blockquote>
<blockquote><tt>uidNumber: -1</tt><br>
<tt>gidNumber: -1</tt><br>
<tt>ipaUniqueID: autogenerate</tt><br>
<tt>description: __no_upg__<br>
manager: checks that the DN is an active user<br>
userPassword/krb keys: if userPassword is set, krb keys
are generated<br>
</tt> </blockquote>
</blockquote>
</blockquote>
<ol>
<ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-add <login> --from-delete<br>
It possibly updates (MOD-delete) the deleted entry to delete
the attributes:<br>
</font>
<ul>
<li><font face="Times New Roman, Times, serif">userPassword</font></li>
<li><font face="Times New Roman, Times, serif">krb keys<br>
</font></li>
</ul>
</li>
</ul>
</ol>
<blockquote>
<blockquote><font face="Times New Roman, Times, serif">Then it
moves (modrdn) the deleted entry to staging container where<br>
</font>
<blockquote><tt>uidNumber: <unchanged, so it is preserved
from the prevous active account></tt><br>
<tt>gidNumber: <unchanged</tt><tt><tt>, so it is
preserved from the prevous active account</tt>></tt><br>
<tt>ipaUniqueID: </tt><tt><unchanged</tt><tt><tt>, so it
is preserved from the prevous active account</tt>></tt><br>
<tt>description: __no_upg__ (to show there is not managed
group)<br>
(Deleted entries have no userPassword nor krb keys)<br>
</tt></blockquote>
</blockquote>
</blockquote>
<ol>
<ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-activate <login><br>
To be activated an entry must have:<br>
</font>
<ul>
<li><font face="Times New Roman, Times, serif">'uid' RDN</font></li>
<li><font face="Times New Roman, Times, serif">have OC:
posixaccount, ipaObject (MUST: cn, uid, uidNumber,
gidNumber, homedirectory, ipaUniqueID)</font></li>
</ul>
<font face="Times New Roman, Times, serif">It adds in the
active container, a destination copy of a stage entry
where<br>
</font>
<blockquote><tt>uidNumber: <unchanged> </tt><tt><tt><tt>(if
it was '-1' DNA generates it) </tt></tt></tt> <br>
<tt>gidNumber: <unchanged</tt><tt>></tt> <tt><tt>(if
it was '-1' DNA generates it) </tt></tt><br>
<tt>ipaUniqueID: </tt><tt><unchanged</tt><tt><tt>>
(if it was 'autogenerate' ipa uuid generates it) </tt></tt><br>
<tt>description: value __no_upg__ is removed</tt><br>
<tt>DN syntax attributes are cleared (but kept for schema
checking) except: manager, managedby and secretary
(those values must be active DN entries)<br>
userPassword/krb keys: copied from source entry if they
exists <br>
</tt></blockquote>
</li>
</ul>
</ol>
<blockquote>
<blockquote><font face="Times New Roman, Times, serif">Then
removes the source entry from the 'Staging' container</font>.<br>
</blockquote>
</blockquote>
<ol>
<ul>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-find <login></font></li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-show <login></font></li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-mod <login></font><br>
<blockquote><font face="Times New Roman, Times, serif"> DN
syntax attributes: checks that the DN is an active user<br>
</font></blockquote>
</li>
<li><font face="Times New Roman, Times, serif">ipa
stageuser-del <login><br>
</font></li>
</ul>
</ol>
<ol>
<li><font face="Times New Roman, Times, serif">Active </font><font
face="Times New Roman, Times, serif">(container:
cn=users,cn=accounts,SUFFIX)<br>
</font><font face="Times New Roman, Times, serif">plugins
scoping Staging:<br>
</font>
</li>
</ol>
<blockquote>
<ul>
<li><font face="Times New Roman, Times, serif">ipa_pwd_extop
(kerberos keys generated)</font></li>
<li><font face="Times New Roman, Times, serif">attribute
uniqueness (ipaUniqueID, uid, krbprincipalname,
krbcanonicalName)</font></li>
<li><font face="Times New Roman, Times, serif">referential
integrity</font></li>
<li><font face="Times New Roman, Times, serif">memberof</font></li>
<li><font face="Times New Roman, Times, serif">managed entries</font></li>
<li><font face="Times New Roman, Times, serif">ipa uuid</font><br>
</li>
</ul>
<p><font face="Times New Roman, Times, serif">In order to allow
simple bind, there is pre-bind plugin or cos (nsAccoutLock:
False).</font><br>
<font face="Times New Roman, Times, serif">A new entry
(user-add or stageuser-activate) is updated by DS plugins
(UUID, memberof, managed entries, and DNA plugins)</font></p>
<ul>
<li><font face="Times New Roman, Times, serif">ipa user-add
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa user-mod
<login><br>
</font><font face="Times New Roman, Times, serif">DN syntax
attributes: checks that the DN is an active user</font><br>
</li>
<li><font face="Times New Roman, Times, serif">ipa user-show
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa user-find
<login></font></li>
<li><font face="Times New Roman, Times, serif">ipa user-delete
<login><br>
The entry is moved (modrdn) to Delete container:<br>
</font>
<ul>
<li><tt>all memberships attributes updated by plugins
(managed entries/memberof)</tt></li>
<li><tt>group members updated by referential integrity<br>
</tt></li>
</ul>
<font face="Times New Roman, Times, serif"><br>
then updated (mod)<br>
</font>
<ul>
<li><tt>all DN syntax attributes are wiped except:
manager, managedby, secretary</tt></li>
<li><tt>description: add __no_upg__ value</tt></li>
<li><tt>userPassword is deleted</tt></li>
<li><tt>kerberos keys are </tt><tt>deleted</tt></li>
</ul>
</li>
<li><font face="Times New Roman, Times, serif">ipa user-undelete
<login><br>
The entry is possibly updated (MOD-delete) to delete
attributes<br>
</font>
<ul>
<li><font face="Times New Roman, Times, serif">userPassword
(no simple bind on undeleted entry, requires to create
a password)<br>
</font></li>
<li><font face="Times New Roman, Times, serif">kerberos
keys (no kerberos bind on undeleted entry, requires to
recreate user password)</font></li>
</ul>
<font face="Times New Roman, Times, serif">Then is moved
(modrdn) to Active container</font><br>
</li>
</ul>
</blockquote>
<ol>
<li><font face="Times New Roman, Times, serif">Delete (container
is </font><font face="Times New Roman, Times, serif">cn=deleted
users,cn=accounts,SUFFIX)<br>
</font><font face="Times New Roman, Times, serif">plugins
scoping Delete:<br>
</font>
<blockquote>
<ul>
<li><font face="Times New Roman, Times, serif">ipa_pwd_extop
(not required as Delete account should not have userPassword
nor krb keys)<br>
</font></li>
<li><font face="Times New Roman, Times, serif">attribute
uniqueness (ipaUniqueID, uid, krbprincipalname,
krbcanonicalName)</font></li>
</ul>
</blockquote>
<font face="Times New Roman, Times, serif">In order to prevent
simple bind (in addition to userPassword being cleared),
there is pre-bind plugin or cos (nsAccoutLock: True).</font></li>
</ol>
<font face="Times New Roman, Times, serif"><br>
<br>
Thanks<br>
thierry<br>
</font><br>
<br>
<p><br>
</p>
<br>
</blockquote>
</body>
</html>