[Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server
Simo Sorce
simo at redhat.com
Tue Jun 17 19:42:41 UTC 2014
On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote:
> On 06/17/2014 09:29 PM, Simo Sorce wrote:
> > On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote:
> >>>> * ipa stageuser-add <login> --from-delete
> >>>>
> >>>> It moves a deleted entry to staging container where
> >>>>
> >>>> uidNumber: <unchanged, so it is preserved from the
> >>>> prevous active account>
> >>>> gidNumber: <unchanged, so it is preserved from the
> >>>> prevous active account>
> >>>> ipaUniqueID: autogenerate (reset to autogenerate)
> >>> Why are you resetting the unique id ?
> >> Read back a few in the thread. I suggested, perhaps incorrectly, that
> >> given that there should be no more references to the user once they go
> >> into deleted or staged, it may be ok to reset this value.
> > Well, let me reiterate, the deleted bucket is for those environments
> > where they have a mandate (regulation, law, policy, etc..) to never
> > delete users and reinstate users if they are deleted.
> > So all uniquely identifying information should be preserved in case the
> > object is revived. This means we need to do our best to preserve all
> > these attributes if we can.
> This is what is done when an Active user is deleted.
> uidNumber/gidNumber/ipaUniqueID are preserved.
> When activating a user, currently UUID plugin prevents to set a value.
> Should it be relaxed.. I feel not. It is a sensitive info and
> provisioning system should not define it.
Why is it sensitive ? A ipaUniqueID is not really sensitive, it just
needs to be unique.
> When undelete a user (move Delete->Staging), ipaUniqueID can be
> preserved but as the purpose of Staging entry is to become active I
> thought it would be better to wipe the value also at this time.
I understand that (and I noted before that I think deleted->staged is a
bad idea IMO :-) ), but you are wiping it only as a workaround, because
the plugin prevents you from adding it. Would have you wiped it if it
were not the case ? And if so, why ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list