[Freeipa-devel] User life cycle: question regarding the design

Jan Cholasta jcholast at redhat.com
Tue May 27 10:01:20 UTC 2014 

On 26.5.2014 10:18, Martin Kosek wrote:
> On 05/26/2014 09:33 AM, Jan Cholasta wrote:
>> On 26.5.2014 07:49, Martin Kosek wrote:
> ...
>>>   > 5) modifying
>>>   > (in active)   ipa user-mod tuser ...
>>>
>>> Ok.
>>>
>>>   > (in stage)    ipa user-mod tuser --staged ...
>>>
>>> Simo did not like this command, I would personally add it. As long as we
>>> have "ipa user-add --staged", we should also have an option to delete
>>> and modify user in staged area.
>>
>> +1
>>
>>>
>>>   > (in del)      ipa user-mod tuser --deleted ...
>>>
>>> Not needed.
>>>
>>> Is this acceptable for everyone? If yes, the next step would be for
>>> Thierry to update the design page with new proposals.
>>>
>>> Martin
>>
>> Are users in different containers using the same uid allowed?
>
> Say you had a John Doe (uid jdoe) working in a company couple years ago. jdoe
> left and is now in deleted accounts tree. Jane Doe joins the company now and
> question is - do we want to allow Jane taking the same uid as John had? I am
> thinking we should not allow that. Maybe we should allow override with --force
> or having a global option.
>
> Another related topic is - do we want to enforce staged user to always have UID
> RDN? Isn't that limiting? When writing
>
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Create_a_User_-_by_provisioning_system
>
> I proposed that we should also be able to unstage a minimal record like this:
>
> dn: cn=Test User,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
> objectClass: top
> objectClass: organizationalperson
> cn: Test User
> sn: User
> nsAccountLock: True
>
>> If not, do we need the --staged/--deleted flags on anything but
>> user-add/user-find?
>
> I see your point, but I think we should make admins to be very explicit when
> manipulating users any area other than the active users area. As Simo noted,
> these are not real users, just incomplete user records.

If they are not users, they should not be managed by the user plugin in 
the first place. (But I guess people are so used to abusing IPA's object 
model that they don't care. Oh well.)

>
> Martin
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list