[Freeipa-devel] User life cycle: plugins scope for staged users
Dmitri Pal
dpal at redhat.com
Thu May 29 02:09:21 UTC 2014
On 05/22/2014 10:33 AM, thierry bordaz wrote:
> Hello,
>
> In order to provision staged users (account inactivated) with
> there initial values:
>
> /usr/bin/ipa user-add tb20 --to-stage --first=tb20 --last=tb20
> -----------------
> Added user "tb20"
> -----------------
> User login: tb20
> First name: tb20
> Last name: tb20
> Full name: tb20 tb20
> Display name: tb20 tb20
> Initials: tt
> Home directory: /home/tb20
> GECOS: tb20 tb20
> Login shell: /bin/sh
> Kerberos principal: tb20 at IDM.LAB.BOS.REDHAT.COM
> Email address: tb20 at idm.lab.bos.redhat.com
> UID: -1
> GID: -1
> Account disabled: true
> Password: False
> Kerberos keys available: False
>
> ldapsearch -LLL -h localhost -p 389 -D "cn=directory manager"
> -w Secret123 -b "dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" uid=tb20
> dn: uid=tb20,cn=staged
> users,cn=accounts,cn=provisioning,dc=idm,dc=lab,dc=bos,
> dc=redhat,dc=com
> displayName: tb20 tb20
> cn: tb20 tb20
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> loginShell: /bin/sh
> uidNumber: -1
> ipaUniqueID: autogenerate
> gidNumber: -1
> gecos: tb20 tb20
> sn: tb20
> homeDirectory: /home/tb20
> uid: tb20
> mail: tb20 at idm.lab.bos.redhat.com
> krbPrincipalName: tb20 at IDM.LAB.BOS.REDHAT.COM
> givenName: tb20
> initials: tt
>
> I needed to resctrict the scope of the following plugins:
>
> dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
> nsslapd-pluginarg1:
> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
> dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=confi
> ipauuidscope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> dnaScope: cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> memberofentryscope:
> cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
> In fact I need them to not modify the added entry when it is added
> under "cn=staged users,cn=accounts,cn=provisioning,$SUFFIX".
> Now is it possible to limit those plugins scope to the
> 'cn=accounts' part of the tree ? I guess not.
> If it is not possible, a solution is to make the scope
> multi-valued attributes or to introduce a new config attribute
> '*notInScope' also multi-valued.
> A problem is the 'cn=ipaUniqueID uniqueness' that rely on the
> 'attribute uniqueness' plugin with a argv[ ], not really
> convenient to pass 2 multivalued attributes.
>
> If anyone is having others solutions it would help me a lot :-)
>
> thanks
> thierry
>
>
The easiest solution IMO is to not treat staging area as an account
area, i.e instead of cn=staging, cn=accounts, dc=... I suggest saving
users in cn=users, cn=staging, dc=...
This way if in future we will have some staging for other objects (for
whatever reason) we will create containers under common "staging" area.
I would also argue that "deleted" should not be under accounts.
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140528/cfb8d7e5/attachment.htm>
More information about the Freeipa-devel
mailing list