[Freeipa-devel] ipa-cli examples
Masato Taruishi
taruishi at redhat.com
Wed Jul 4 05:42:55 UTC 2007
> On Wed, 2007-07-04 at 03:25 +0900, Masato Taruishi wrote:
> > Hi, FreeIPA guys.
> >
> > Sorry about my stupid mail. I'm new to FreeIPA, but
> > instersted in this project.
> >
> > I couldn't find the design detail but I experimentally
> > wrote a simple flexible library to manage LDAP, and others,
> > entries and some tools using the library in this weekend.
> > It's a very quick implementation, poor feature and needs
> > refactoring, but if it's useful for this project, I'd like
> > to contribute these tools.
>
> Thanks - looks interesting. We'll try to post some more design
> information as we go. Comments below.
>
> > Summary:
> > =========
> >
> > - flexible LDAP management library in python including
> >
> > * PasswordModifyExtension support
> > * PagedResultsControl support
> >
>
> I think we have the same goals, but I just want to mention that with
> freeipa we are trying to hide as many ldap details as possible. I know
> that this is just a backend component, but I wanted to make that goal
> explicit.
Exactly. The above library provides database abstraction which hides
ldap details by creating abstract class to hold user account
informations. PasswordModifyExtension is used only in the ldap
backend, so you don't have to consider about ldap details as long as
you use this library. The ldap backend uses Password Modify Extension
internally, in order to communicate with ipa-pwd-extop SLAPI plugin.
In addition, becuase of database abstraction, you can use another
user account database backend such as /etc/passwd, CSV and so on
instead of ldap, though these backend has to be written in the
future.
> > - example command line tools
> >
> > * ipa-useradd
> >
> > Add a user to LDAP like /usr/sbin/useradd
> >
>
> How do you select the object class to represent the user?
Good question. At least in the current implementation, the
object classes are hard-coded now :( It has to be configurable.
I've written the similar library a few years ago and the
library provides template-based default objectclass determination.
Because account informations created by template don't
depend on LDAP itself, so The 'Mapping Tier' maps the abstract
informations to LDAP specific atrributes as follows:
+----------+ +---------------------+
|Template+--+->|Abstract User Info|
+----------+ | +-+-------------------+
| |
uid ------+ | +------+ +------+ +---------+
+-->|Mapper+->|LDAPBE+->|Fedora-DS|
+-------+ +-------+ +-----------+
I want to reimplement most useful features, which the previous
library has, with some improvements. The new library
is in really really early stage. I wrote code this in last
sunday so it needs more time to refine it.
> > * ipa-userdel
> >
> > Delete a user from LDAP like /usr/sbin/userdel
> >
> > * ipa-vipw
> >
> > Edit user database in LDAP like /usr/sbin/vipw
> >
>
> So this creates a temporary file similar to the password file for
> interactive editing?
Yes. ipa-vipw doesn't provide any lock mechanism to LDAP.
> > * ipa-passwd
> >
> > Change user password in LDAP by using Password
> > Modify Extension
> >
> > How To Use:
> > =============
> >
> > 1. Install python-ldap
> >
> > ~# yum install python-ldap
> >
> > 2. Unpack ipa-cli-taru.tar.gz
> >
> > ~$ tar zxf ipa-cli-taru.tar.gz
> >
> > 3. Change directory
> >
> > ~$ cd ipa-cli/src
> >
> > 4. Add user
> >
> > ~$ ./ipa-useradd -H ldap://localhost/dc=example,dc=com \
> > -D 'cn=Directory Manager' -w <password> user1
> >
>
> We are planning to use service discovery most of the time to avoid
> passing host and base dn. Also we'd prefer to always use kerberos
> instead of simple binds.
I agreed. The library also abstracts authentication method so that
it can support additional authentications such as SASL/Diest-MD5
, GSSAPI and so on. It has already supported anonymous bind and
simple bind. SASL bind also has to be supported, of cource.
Thanks
More information about the Freeipa-devel
mailing list