[Freeipa-devel] Proposal for Auto Membership plugin

Rob Crittenden rcritten at redhat.com
Thu Jul 21 18:25:45 UTC 2011 

To summarize, I think this is how we will proceed.

Create a new plugin, automember, based heavily on the work already done.

The container_dn will be cn=automember,cn=etc. If automembership is 
preferred I can be flexible but using the same name everywhere makes 
things easy to follow.

The DN will be of the form: cn=<rule>,cn=<type>,<container_dn>,<base_dn>

The pre-defined automembership types (as defined by the type enumerator) 
will be group and hostgroup. The current LDIF will need to drop the 
plurality (to become cn=group,cn=automember,cn=etc,$SUFFIX)

type is required for all commands.

The available commands will be:

automember-add               Add an automember rule
   --type=ENUM             (hostgroup, group)
   --desc=STR            description of this auto membership rule
   --inclusive-regex=LIST    Inclusive Regex
   --exclusive-regex=LIST    Exclusive Regex

automember-add-condition     Add conditions to automember rule
   --type=ENUM             (hostgroup, group)
   --inclusive-regex=LIST    Inclusive Regex
   --exclusive-regex=LIST    Exclusive Regex

automember-del               Delete an automember rule
   --type=ENUM             (hostgroup, group)

automember-find              Search for automember rules
   --type=ENUM             (hostgroup, group)

automember-mod               Modify an automember rule.
   --type=ENUM             (hostgroup, group)
   --desc=STR

NOTE: you cannot manage inclusive or exclusive conditions via the mod 
command, the helpers need to be used.

automember-remove-condition  Remove conditions from an automember rule
   --type=ENUM             (hostgroup, group)
   --inclusive-regex=LIST    Inclusive Regex
   --exclusive-regex=LIST    Exclusive Regex

automember-show              Display an automember rule
   --type=ENUM             (hostgroup, group)

automember-default-group  Set a default group for auto membership
   --type=ENUM              (hostgroup, group)
   --name=STR               Name of entity to put entries that don't match

The current patch is really not very far off of this. Off the top of my 
head this is how I'd go about it:

- freeipa.spec needs to have a Requires on 1.2.9, not a BuildRequires 
(though it doesn't hurt for them to be the same)
- automembership.ldif, change the container and cns
- constants.py, change the container
- copy the clarity code from hostgroup.py to automember.py and rename 
everything
- add flags=[no_update, no_create] to automemberinclusiveregex and 
automemberexclusiveregex.
- replace group_dn() with a function dn_exists(). Use the type objects 
get_dn() to construct a dn and call ldap.get_entry() on it. Something like:

class automember(LDAPObject):
     def dn_exists(type, groupname):
         ldap = self.api.Backend.ldap2
         dn = self.api.Object[type].get_dn(groupname)
         try:
             (gdn, entry_attrs) = ldap.get_entry(dn, [])
         except errors.NotFound:
             self.obj.handle_not_found(groupname)
         return gdn

- Use symbol names instead of a typle of attr names
- Do some sort of validation on the regex. I'm not sure if the python re 
engine will match the 389-ds one but we should be able to do some sanity 
checks, like making sure the regex doesn't start with attr = ...
- The setting of entry_attrs now looks something like:

    entry_attrs[attr] = ['fqdn=' + condition ...

Since this will be generic it will need to look like:

    entry_attrs[attr] = ['%s' % self.api.Object[type].primary_key.name + 
condition ...

- tests will need to be updated. I think that using the newer test 
format such as in test_user_plugin.py is easier to create and manage in 
the long-run and covers more ground that the older method.

rob

More information about the Freeipa-devel mailing list