[Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

thierry bordaz tbordaz at redhat.com
Wed Jun 25 09:37:13 UTC 2014 

On 06/25/2014 10:52 AM, Martin Kosek wrote:
> On 06/24/2014 06:31 PM, thierry bordaz wrote:
>> Hello,
>>
>>     User life cycle "assigns" a status to user entries depending where
>>     they are in the DIT.
>>     'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and
>>     'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.
>>
>>     Only 'Active' users have valid membership attributes: A Stage/Delete
>>     user does not belong to any 'Active' group.
>>     membership is managed by DS plugins, and particularly RI and memberof.
>>     To automatically update membership attributes RI and memberof
>>     implement a scoping, that update/add/remove membership attributes if
>>     the group/user are Active.
>>
>>     The scoping is a single valued attribute.
>>
>>     It create failures in IPA tests if I restrict RI/memberof to
>>     'cn=accounts,SUFFIX'. For example adding a host (under
>>     'cn=accounts,SUFFIX) adds it to a network group that is under
>>     'cn=alt,SUFFIX'.
>>     A solution would be that the attribute that scopes the plugin is
>>     multivalued. But then it would require a long list of values:
>>
>>         cn=pbac,SUFFIX
>>         cn=hbac,SUFFX
>>         cn=alt,SUFFIX
>>         cn=accounts, SUFFIX
>>         ...
>>
>>
>>     An other solution would be to exclude some parts of the DIT, here
>>     limited to 'cn=provisionning,SUFFIX'. (prefered solution).
>>
>>
>>     This is a similar issue with IPA UUID plugin that generates
>>     ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or
>>     'cn=hbac'.
>>
>>     regards
>>     thierry
> Right. As discussed yesterday, I think the best approach would be to specify a
> SUFFIX + excluded tree.
>
> Specifying all containers where there may be an entry with member or RI'ed
> attribute would be very long and possibly error prone when we add a new one
> (all active IPA server plugin configuration would need to be updated?).
>
> Martin
Thanks.
I opened https://fedorahosted.org/389/ticket/47828 (DNA) and 
https://fedorahosted.org/389/ticket/47829 (memberof).
For RI https://fedorahosted.org/389/ticket/47621 already implements it.
For IPA Unique IDs I may use 
https://fedorahosted.org/freeipa/ticket/3813 or open a separated ticket.

thierry

More information about the Freeipa-devel mailing list