Right now IPA allows only to enable/disable users. But disabled users will show up in the searches.
It would make sense to have a more mature user lifecycle management. Here is an example of what we might want to consider implementing.
When HR team assigns a new account in HR system, the initial user object is stored is provisioned into IPA but it is created in a staging area for example subtree called 'Pending'. Once the account has been created with uid/gid/username calculated, it is 'moved' to ou=Users. When the user terminates, the user object is moved to say 'Deleted' and is out of the view of normal systems doing user lookups. The object is stored in 'Deleted' until the user returns back (contractor for example). Once the user returns, their object is moved back to the main tree preserving his uid/gid/username/etc attributes.
Group membership should probably not be preserved. However we might want to allow automembership rules trigger on the transfer from Pending to Normal rather than on creation (something to think about).
The account creation/termination process is also SOX-controlled, so we will need to make sure we have sufficient access control rules and permissions defined regarding who can create, remove or move accounts around.
Looks like a duplicate to #3911...
I have side note: 'User Life Cycle' also includes things like renaming (e.g. after marriage) etc. It would be nice if we can find a solution for such situations.
attachment 0001-Ticket-3813-User-Life-Cycle-create-containers-and-sc.patch
attachment 0002-Ticket-3813-User-Life-Cycle-Exclude-subtree-for-ipaU.patch
attachment 0003-Ticket-3813-User-life-cycle-support-of-stageuser-add.patch
attachment freeipa-tbordaz-0001-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch
attachment freeipa-tbordaz-0002-User-Life-Cycle-Exclude-tree-ipaUniqueID-generation.patch
attachment freeipa-tbordaz-0001-2-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch
First part pushed to master:
Part of the previous patch had to be reverted as it stopped generating DNA for objects in cn=trusts,SUFFIX and broke Trusts:
cn=trusts,SUFFIX
master:
attachment freeipa-tbordaz-0004-2-User-life-cycle-stageuser-del-mod-find-show.patch
attachment freeipa-tbordaz-0005-User-Life-Cycle-add-stageuser-tests.patch
attachment freeipa-tbordaz-0006-User-life-cycle-stageuser-activate.patch
David will help with review.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1199530
attachment 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch
attachment 0002-User-life-cycle-stageuser-add-verb.patch
attachment 0003-User-life-cycle-new-stageuser-commands-del-mod-find-.patch
attachment 0004-User-life-cycle-new-stageuser-commands-activate.patch
attachment 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch
attachment 0006-User-life-cycle-user-delete.patch
attachment 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch
attachment 0008-User-life-cycle-user-find-support-finding-delete-use.patch
Web UI with prerequisites:
The functionality is there. From now on, the feature is in bugfixing mode.
attachment freeipa-lryznaro-0002-Automated-test-for-stageuser-plugin.patch
attachment freeipa-lryznaro-0002-3-Automated-test-for-stageuser-plugin.patch
attachment freeipa-lryznaro-0003-Updated-automated-test-for-stageuser-plugin.patch
attachment freeipa-lryznaro-0002.4-Automated-test-for-stageuser-plugin.patch
Test:
ipa-4-2:
Metadata Update from @dpal: - Issue assigned to tbordaz - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.