[Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins
Martin Kosek
mkosek at redhat.com
Wed Jun 25 08:52:26 UTC 2014
On 06/24/2014 06:31 PM, thierry bordaz wrote:
> Hello,
>
> User life cycle "assigns" a status to user entries depending where
> they are in the DIT.
> 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and
> 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.
>
> Only 'Active' users have valid membership attributes: A Stage/Delete
> user does not belong to any 'Active' group.
> membership is managed by DS plugins, and particularly RI and memberof.
> To automatically update membership attributes RI and memberof
> implement a scoping, that update/add/remove membership attributes if
> the group/user are Active.
>
> The scoping is a single valued attribute.
>
> It create failures in IPA tests if I restrict RI/memberof to
> 'cn=accounts,SUFFIX'. For example adding a host (under
> 'cn=accounts,SUFFIX) adds it to a network group that is under
> 'cn=alt,SUFFIX'.
> A solution would be that the attribute that scopes the plugin is
> multivalued. But then it would require a long list of values:
>
> cn=pbac,SUFFIX
> cn=hbac,SUFFX
> cn=alt,SUFFIX
> cn=accounts, SUFFIX
> ...
>
>
> An other solution would be to exclude some parts of the DIT, here
> limited to 'cn=provisionning,SUFFIX'. (prefered solution).
>
>
> This is a similar issue with IPA UUID plugin that generates
> ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or
> 'cn=hbac'.
>
> regards
> thierry
Right. As discussed yesterday, I think the best approach would be to specify a
SUFFIX + excluded tree.
Specifying all containers where there may be an entry with member or RI'ed
attribute would be very long and possibly error prone when we add a new one
(all active IPA server plugin configuration would need to be updated?).
Martin
More information about the Freeipa-devel
mailing list