[Freeipa-devel] [PATCH] group inactivation
Rob Crittenden
rcritten at redhat.com
Wed Nov 21 04:03:57 UTC 2007
Karl MacMillan wrote:
> On Fri, 2007-11-16 at 18:34 -0500, Rob Crittenden wrote:
>> Enable group inactivation by using the Class of Service plugin.
>>
>> This adds 2 new groups: activated and inactivated.
>>
>> If you, or a group you are a member of, is in inactivated then you are too.
>>
>> If you, or a group you are a member of, is in the activated group, then
>> you are too.
>>
>> In a fight between activated and inactivated, activated wins.
>>
>> The DNs for doing this matching is case and white space sensitive.
>>
>> The goal is to never have to actually set nsAccountLock in a user
>> directly but move them between these groups.
>>
>> We need to decide where in the CLI this will happen. Right it is split
>> between ipa-deluser and ipa-usermod. To inactivate groups for now just
>> add the group to inactivate or active.
>>
>
> The corrected patch applied w/ fuzz on the current tree - did I apply
> the patches in the wrong order?
>
> This looked OK to me - my biggest concern is the number of "special"
> groups that we are starting to have. Are they all properly protected
> from removal or other modification by ACIs? Anything else we need to do
> to handle these?
Good point. I'll open a task for that.
I've imported the patch after merging it in to apply cleanly with the tip.
> Finally - I vote for ipa-userlock and ipa-userdel (or deluser and
> lockuser).
While I like having commands that do one thing and do it well we're
getting quite a toolkit here. I'll open a task for this too.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071120/17f3f43d/attachment.bin>
More information about the Freeipa-devel
mailing list