[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

Simo Sorce simo at redhat.com
Tue Jun 17 19:42:41 UTC 2014 

On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote:
> On 06/17/2014 09:29 PM, Simo Sorce wrote:
> > On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote:
> >>>>            * ipa stageuser-add <login> --from-delete
> >>>>
> >>>>              It moves a deleted entry to staging container where
> >>>>
> >>>>                  uidNumber: <unchanged, so it is preserved from the
> >>>>                  prevous active account>
> >>>>                  gidNumber: <unchanged, so it is preserved from the
> >>>>                  prevous active account>
> >>>>                  ipaUniqueID: autogenerate (reset to autogenerate)
> >>> Why are you resetting the unique id ?
> >> Read back a few in the thread. I suggested, perhaps incorrectly, that
> >> given that there should be no more references to the user once they go
> >> into deleted or staged, it may be ok to reset this value.
> > Well, let me reiterate, the deleted bucket is for those environments
> > where they have a mandate (regulation, law, policy, etc..) to never
> > delete users and reinstate users if they are deleted.
> > So all uniquely identifying information should be preserved in case the
> > object is revived. This means we need to do our best to preserve all
> > these attributes if we can.
> This is what is done when an Active user is deleted. 
> uidNumber/gidNumber/ipaUniqueID are preserved.
> When activating a user, currently UUID plugin prevents to set a value. 
> Should it be relaxed.. I feel not. It is a sensitive info and 
> provisioning system should not define it.

Why is it sensitive ? A ipaUniqueID is not really sensitive, it just
needs to be unique.

> When undelete a user (move Delete->Staging), ipaUniqueID can be 
> preserved but as the purpose of Staging entry is to become active I 
> thought it would be better to wipe the value also at this time.

I understand that (and I noted before that I think deleted->staged is a
bad idea IMO :-) ), but you are wiping it only as a workaround, because
the plugin prevents you from adding it. Would have you wiped it if it
were not the case ? And if so, why ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list