freeipa

Clone
Source Code
GIT

#3911 [RFE] Allow managing users add/modify/delete via LDAP client
Closed: Fixed None Opened 10 years ago by dpal.

Closed: Fixed
Reopen Issue

In case there is an external provisioning system the user life cycle in IPA needs to be managed using LDAP commands. It should be possible to add, modify and delete users using pure LDAP commands.

Our current implementation allows only CLI/UI over API because we resolve and add attributes in the framework.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=989091 (RHEL RFE)

Similar ticket - #3813.

I have side note: 'User Life Cycle' also includes things like renaming (e.g. after marriage) etc. It would be nice if we can find a solution for such situations.

Currently, with FreeIPA you can add a user:

# ipa user-add --first=Jane --last=Doe jdoe
-----------------
Added user "jdoe"
-----------------
  User login: jdoe
  First name: Jane
  Last name: Doe
  Full name: Jane Doe
  Display name: Jane Doe
  Initials: JD
  Home directory: /home/jdoe
  GECOS: Jane Doe
  Login shell: /bin/sh
  Kerberos principal: jdoe@MY.REALM
  Email address: jdoe@my.realm
  UID: 166200004
  GID: 166200004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

and then rename it with --rename option:

# ipa user-mod jdoe --rename jsmith --last Smith
--------------------
Modified user "jdoe"
--------------------
  User login: jsmith
  First name: Jane
  Last name: Smith
  Home directory: /home/jdoe
  Login shell: /bin/sh
  Email address: jdoe@my.realm
  UID: 166200004
  GID: 166200004
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

This would change user's uid, kerberos principal while preserving UID and GID. This will entirely change user's identity, so you may need to do changes in some of your external systems which does some uid <-> role coupling.

A less intrusive change may be just simple:

# ipa user-mod jdoe --last Smith

to keep the uid and Kerberos principal intact.

To sum it up, I am not sure what else could FreeIPA offer.

Starting to shape next release

Summary of discussion on mailing list

Main concern was that there may be software doing direct LDAP additions and modifications for the users.
The software may ADD staging users, helpdesk would activate them and the software would DELete them at the end of the life cycle.

A first idea was that to enable deleted users container, one just needs to switch a button and activate the DS plugin which would make DEL into a MODRDN.

A second idea is that the application would need to be learned to do MODRDN instead of LDAP DEL

Conclusion:

We move (add/del) the entry from the place the
provisioning system puts it, then we do not have to do anything for
deletion.
For HR users disappears from where they place them.

The delete operation is much simpler than the add, and it should be
simple to change the provisioning scripts to do an explicit modrdn
rather than a del if they want to do so.
Therefore I do not think we need to do anything like a delete->modrdn
plugin which is fraught with dangerous side-effects.

The functionality is there. From now on, the feature is in bugfixing mode.

Metadata Update from @dpal:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
enhancement
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=989091
None
<draft> This would allow connecting IPA to external user provisioning systems and meta directories and managing users in a consistent way
http://www.freeipa.org/page/V4/User_Life-Cycle_Management
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.