[Freeipa-devel] User life Cycle: referential integrity
thierry bordaz
tbordaz at redhat.com
Wed Jun 4 15:46:47 UTC 2014
Hello,
I am looking at the appropriate way to configure DS referential
integrity and I am hitting some issues about its scoping and which
attributes need to be preserved.
User A and B are both Active. User A refers user B for example
'owner: <DN user B in Active container>'.
If entry A is deleted (user-del), it keeps 'owner: <DN user B in
Active container>'. Do we really want to preserve such attributes
(owner, member, seeAlso...) in case the user is coming back
(user-undel) ?
If it makes sense we may achieve this if we extends RI to both
'Active' and 'Delete' container.
If we prefer to remove such attributes, then 'user-del' is a MODRDN
followed by some MODs or a ADD-DEL where the Delete entry is rebuilt
from the 'Active' entry.
This is a similar problem when using 'stageuser-add <id>
--from-delete', the references may become invalid (unless RI also
covers Staging).
An option would be to accept to have invalid references in 'staging'
and 'delete', but when the entry is stageuser-activate/user-undel
the reference are checked and removed if invalid. Here invalid
means, the referred entry does not exist or is not 'Active'.
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140604/03dd5fb7/attachment.htm>
More information about the Freeipa-devel
mailing list