In case there is an external provisioning system the user life cycle in IPA needs to be managed using LDAP commands. It should be possible to add, modify and delete users using pure LDAP commands.
Our current implementation allows only CLI/UI over API because we resolve and add attributes in the framework.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=989091 (RHEL RFE)
Similar ticket - #3813.
I have side note: 'User Life Cycle' also includes things like renaming (e.g. after marriage) etc. It would be nice if we can find a solution for such situations.
Currently, with FreeIPA you can add a user:
# ipa user-add --first=Jane --last=Doe jdoe ----------------- Added user "jdoe" ----------------- User login: jdoe First name: Jane Last name: Doe Full name: Jane Doe Display name: Jane Doe Initials: JD Home directory: /home/jdoe GECOS: Jane Doe Login shell: /bin/sh Kerberos principal: jdoe@MY.REALM Email address: jdoe@my.realm UID: 166200004 GID: 166200004 Password: False Member of groups: ipausers Kerberos keys available: False
and then rename it with --rename option:
--rename
# ipa user-mod jdoe --rename jsmith --last Smith -------------------- Modified user "jdoe" -------------------- User login: jsmith First name: Jane Last name: Smith Home directory: /home/jdoe Login shell: /bin/sh Email address: jdoe@my.realm UID: 166200004 GID: 166200004 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
This would change user's uid, kerberos principal while preserving UID and GID. This will entirely change user's identity, so you may need to do changes in some of your external systems which does some uid <-> role coupling.
uid
role
A less intrusive change may be just simple:
# ipa user-mod jdoe --last Smith
to keep the uid and Kerberos principal intact.
To sum it up, I am not sure what else could FreeIPA offer.
Starting to shape next release
Summary of discussion on mailing list
Main concern was that there may be software doing direct LDAP additions and modifications for the users. The software may ADD staging users, helpdesk would activate them and the software would DELete them at the end of the life cycle.
A first idea was that to enable deleted users container, one just needs to switch a button and activate the DS plugin which would make DEL into a MODRDN.
A second idea is that the application would need to be learned to do MODRDN instead of LDAP DEL
Conclusion:
We move (add/del) the entry from the place the provisioning system puts it, then we do not have to do anything for deletion. For HR users disappears from where they place them.
The delete operation is much simpler than the add, and it should be simple to change the provisioning scripts to do an explicit modrdn rather than a del if they want to do so. Therefore I do not think we need to do anything like a delete->modrdn plugin which is fraught with dangerous side-effects.
The functionality is there. From now on, the feature is in bugfixing mode.
Metadata Update from @dpal: - Issue assigned to tbordaz - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.