Hi,
The attached patch is a first patch related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)
It creates 'Stage' and 'Delete' containers and configure DS plugin to
scope only 'Active' container or exclude 'Stage'/'Delete'
Thanks
thierry
From 61673280bcd96be638e1ceb86aa93d1b568bea02 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins
Bug Description:
User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install Delete and Staging containers
needs to be created.
Active: cn=users,cn=accounts,$SUFFIX
Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
Plugins scopes:
krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
cn=accounts,SUFFIX
cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
DNA:
cn=accounts,SUFFIX
Plugins exclude subtree:
IPA UUID, Referential Integrity, memberOf:
cn=provisioning,SUFFIX
Reviewed by: ?
Platforms tested: F20
Flag Day: no
Doc impact: no
https://fedorahosted.org/freeipa/ticket/3813
---
install/share/bootstrap-template.ldif | 24 ++++++++++++++++++++++++
install/share/dna.ldif | 2 +-
install/share/unique-attributes.ldif | 9 ++++++---
install/share/uuid-ipauniqueid.ldif | 1 +
install/updates/10-uniqueness.update | 8 ++++++++
install/updates/20-syncrepl.update | 2 ++
6 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..f3e7353a9d2b6ee51ebf2c2c3948a0313e752f9d 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -34,6 +34,30 @@ objectClass: top
objectClass: nsContainer
cn: hostgroups
+dn: cn=provisioning,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: provisioning
+
+dn: cn=accounts,cn=provisioning,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: accounts
+
+dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: staged users
+
+dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: deleted users
+
dn: cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 86be44ccfaf65d2ea09c51a499271b95ed7fdbc3..b4c674d676b10859ec14f15ead66e66da47b8e69 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -11,7 +11,7 @@ dnaNextValue: eval($IDSTART)
dnaMaxValue: eval($IDMAX)
dnaMagicRegen: -1
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
-dnaScope: $SUFFIX
+dnaScope: cn=accounts,$SUFFIX
dnaThreshold: 500
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 0e680a0e45b455469f9be9555aed1e63f1d97faf..19084128cd7fd297a0916dd5a602aee061ad7576 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -9,7 +9,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: krbPrincipalName
-nsslapd-pluginarg1: $SUFFIX
+nsslapd-pluginarg1: cn=accounts,$SUFFIX
+nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -27,7 +28,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: krbCanonicalName
-nsslapd-pluginarg1: $SUFFIX
+nsslapd-pluginarg1: cn=accounts,$SUFFIX
+nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -63,7 +65,8 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: ipaUniqueID
-nsslapd-pluginarg1: $SUFFIX
+nsslapd-pluginarg1: cn=accounts,$SUFFIX
+nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
diff --git a/install/share/uuid-ipauniqueid.ldif b/install/share/uuid-ipauniqueid.ldif
index c8d08cd9b282307c87e14951f1382386b8191c1a..b61b6bd3f201352dbfb1122cd77e78142563df06 100644
--- a/install/share/uuid-ipauniqueid.ldif
+++ b/install/share/uuid-ipauniqueid.ldif
@@ -8,4 +8,5 @@ ipaUuidAttr: ipaUniqueID
ipaUuidMagicRegen: autogenerate
ipaUuidFilter: (|(objectclass=ipaObject)(objectclass=ipaAssociation))
ipaUuidScope: $SUFFIX
+ipaUuidExcludeSubtree: cn=provisioning,$SUFFIX
ipaUuidEnforce: TRUE
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index a336d3480866f74b82b35280e6ed788f1abb992f..e7fb7a6ba530561c19e87e793a956924865d5530 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -48,3 +48,11 @@ default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+
+# uid uniqueness scopes Active/Delete containers
+dn: cn=attribute uniqueness,cn=plugins,cn=config
+remove:nsslapd-pluginarg1:'$SUFFIX'
+add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
+add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+remove:nsslapd-pluginenabled:off
+add:nsslapd-pluginenabled:on
diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index e1184bf48285fb216dfb0c82e5e97bb8cc35539c..c9c46fdd9e918c5590e90e6846af7f7646a939b7 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -10,10 +10,12 @@ add:nsslapd-changelogmaxage: 2d
# indices for cn=changelog.
dn: cn=MemberOf Plugin,cn=plugins,cn=config
add:memberofentryscope: '$SUFFIX'
+add:memberofentryscopeexcludesubtree: 'cn=provisioning,$SUFFIX'
dn: cn=referential integrity postoperation,cn=plugins,cn=config
add:nsslapd-plugincontainerscope: '$SUFFIX'
add:nsslapd-pluginentryscope: '$SUFFIX'
+add:nsslapd-pluginExcludeEntryScope: 'cn=provisioning,$SUFFIX'
# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel