On 07/28/2016 04:49 PM, Lukas Slebodnik wrote:
On (28/07/16 16:37), thierry bordaz wrote:
> ...
> That is correct and this is the expected behavior.
> Using ns-inactivate.pl with a role, it inactivates all the entries in that
> role adding nsaccountlock virtual attibute.
> You are right, update (add of nsaccountlock) of regular user can be done
> without update of its modifytimestamp.
>
Thank you very much for confirmation and for info that plugin
is not used on IPA. So we needn't special case nsaccountlock for IPA.
We had a discussion on sssd devel meeting. And we agreed that we will
do some performace measurements. And if there will be significant
difference then we will check modifytimestamp only with IPA and AD.
and it will be disabled by default with generic LDAP.
LS
Hi Lukas,
Just to be sure. Does SSSD currently use or intend to use
ns-inactivate/ns-activate to disable/enable ipa users ?
thanks
thierry