[Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.

[Rob Crittenden]

Pavel Zůna wrote:
> On 2011-03-28 23:05, Rob Crittenden wrote:
>> Pavel Zůna wrote:
>>> This patch handles the issue in a kind of stupid way, but I couldn't
>>> think of anything better.
>>>
>>> It adds a new flag parameter to user-add (--noprivate). With this flag,
>>> the command marks the private group about to be created for deletion and
>>> is deleted after the user is created. The only exception is when there
>>> is a group, that is named the same way as the user, but isn't a private
>>> group - then the group is left there.
>>>
>>> Private groups are created automatically by the managed entry DS plugin
>>> and I didn't find a way to disable its creation for a specific user.
>>>
>>> Ticket #1131
>>>
>>> Pavel
>>
>> I wonder if you can modify the originFilter entry in the Managed Entry
>> plugin and set something special so the user gets created w/o a group.
>>
>> The trick would be getting the filter right. Currently it is
>> originFilter: objectclass=posixAccount
>>
>> I wonder if we could stuff something else in there that would cause it
>> to evaluate false when we don't want a managed group.
>>
>> rob
>
> I thought about it, but changing the filter temporarily isn't an option
> since more user-add operations can be running at the same time and this
> entry is global.

No, leave the filter alone but change it by default to something that is 
more flexible.

>
> Maybe adding a special object class or temporary attribute to mark users
> to be created without UPG.

Right, we could create a sup objectclass to ipaUsers that has no 
attributes and use it like a flag. Not sure this is a great idea but we 
could even leave this to avoid the extra operations.

>
> Or creating the user without the posixAccount object class and
> attributes and adding them later using user-mod. This might be a bit
> faster than deleting the UPG.

Yup, that would probably work too.

rob