[Freeipa-devel] User life cycle: plugins scope for staged users
thierry bordaz
tbordaz at redhat.com
Thu May 22 14:33:14 UTC 2014
Hello,
In order to provision staged users (account inactivated) with there
initial values:
/usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
-----------------
Added user "tb20"
-----------------
User login: tb20
First name: tb20
Last name: tb20
Full name: tb20 tb20
Display name: tb20 tb20
Initials: tt
Home directory: /home/tb20
GECOS: tb20 tb20
Login shell: /bin/sh
Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
Email address: tb20 at idm.lab.bos.redhat.com
UID: -1
GID: -1
Account disabled: true
Password: False
Kerberos keys available: False
ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager" -w
Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
dn: uid=tb20,cn=staged
users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
dc=redhat,dc=com
displayName: tb20 tb20
cn: tb20 tb20
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
loginShell: /bin/sh
uidNumber: -1
ipaUniqueID: autogenerate
gidNumber: -1
gecos: tb20 tb20
sn: tb20
homeDirectory: /home/tb20
uid: tb20
mail: tb20 at idm.lab.bos.redhat.com
krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
givenName: tb20
initials: tt
I needed to resctrict the scope of the following plugins:
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
nsslapd-pluginarg1:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
dn: cn=MemberOf Plugin,cn=plugins,cn=config
memberofentryscope:
cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
In fact I need them to not modify the added entry when it is added
under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
Now is it possible to limit those plugins scope to the 'cn=accounts'
part of the tree ? I guess not.
If it is not possible, a solution is to make the scope multi-valued
attributes or to introduce a new config attribute '*notInScope' also
multi-valued.
A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
'attribute uniqueness' plugin with a argv[ ], not really convenient
to pass 2 multivalued attributes.
If anyone is having others solutions it would help me a lot :-)
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/357dfef6/attachment.htm>
More information about the Freeipa-devel
mailing list