[Freeipa-devel] [PATCH] group inactivation
Karl MacMillan
kmacmill at redhat.com
Sat Nov 17 17:49:13 UTC 2007
On Fri, 2007-11-16 at 18:34 -0500, Rob Crittenden wrote:
> Enable group inactivation by using the Class of Service plugin.
>
> This adds 2 new groups: activated and inactivated.
>
> If you, or a group you are a member of, is in inactivated then you are too.
>
> If you, or a group you are a member of, is in the activated group, then
> you are too.
>
> In a fight between activated and inactivated, activated wins.
>
> The DNs for doing this matching is case and white space sensitive.
>
> The goal is to never have to actually set nsAccountLock in a user
> directly but move them between these groups.
>
> We need to decide where in the CLI this will happen. Right it is split
> between ipa-deluser and ipa-usermod. To inactivate groups for now just
> add the group to inactivate or active.
>
The corrected patch applied w/ fuzz on the current tree - did I apply
the patches in the wrong order?
This looked OK to me - my biggest concern is the number of "special"
groups that we are starting to have. Are they all properly protected
from removal or other modification by ACIs? Anything else we need to do
to handle these?
Finally - I vote for ipa-userlock and ipa-userdel (or deluser and
lockuser).
Karl
More information about the Freeipa-devel
mailing list