external users vs non-unity users

[simonLeary42]

We have a mix of portal-generated entries and manually generated entries in LDAP. To differentiate the two, I created the unityusers group. I then foolishly repurposed the unityusers group to be the "qualified users group", and used it to differentiate users with Unity cluster access apart from users without.

I am thinking of adding some logic to detect users that weren't created by the portal. We could call them "martians", following the networking term. Martians should not be subject to the account expiration policy and the portal should error gracefully when it encounters them. Example, martian requests a PI group, PI tries to add martian to group, UnityUser->exists() detects that martian's posixAccount exists but their posixGroup does not exist (or does not exist in the userGroups OU)

[simonLeary42]

Looking only in the users OU would avoid most but not all of the martians. We could move some entries to make it "all". But we still have to scan the entire tree when avoiding UID/GIDnumber conflicts.

[simonLeary42]

#321

[simonLeary42]

I have been toying with the idea of storing a JSON string in the description attribute of some entries. This could be used to say "made by portal".

[simonLeary42]

maybe the inverse of "martian" can be "native"?

[simonLeary42]

#499