[Freeipa-devel] FreeIPA Auto Membership CLI

JR Aquino JR.Aquino at citrix.com
Thu Jun 2 15:39:24 UTC 2011 

I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin...

Currently, the output looks like this:

---=== EXAMPLE ===---
[root at auth2 ~]# ipa clarityrule-show testrule --all
  dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
  Clarity Rule: testrule
  Membership filter: objectclass=ipaHost
  Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
  Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com,
                   cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com
  Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com
  automembergroupingattr: member:dn
  automemberscope: dc=expertcity,dc=com
  objectclass: top, automemberdefinition
---=== EXAMPLE ===---

Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match.

As time progresses it will be likely that these rules could get long and visually unappealing.  I would like to know how we might better represent this info.

Perhaps a breakout with indentation for each unique group defined in each rule?

---===SUGGESTION===---
[root at auth2 ~]# ipa clarityrule-show testrule --all
  dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
  Clarity Rule: testrule
  Membership filter: objectclass=ipaHost
  Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
  Inclusive Regex: 
        cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
            FrontEnd: fqdn=^web[1-9]+.example.com,
            MainSite: fqdn=^www[1-9]+.example.com            
        cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com
            SMTP: fqdn=^mail[1-9]+.example.com,
  Exclusive Regex: 
        cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
            blacklist: www5:fqdn=^www5\.example\.com
  automembergroupingattr: member:dn
  automemberscope: dc=expertcity,dc=com
  objectclass: top, automemberdefinition
---===SUGGESTION===---

Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost

The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group.

Then the object is compared against the inclusive rules to determine if there is a match.
If there is a match, the object is added to the group defined in the matching rule.
If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition.

You can view the design document here for more details on the how the rules are represented within the raw directory.
http://directory.fedoraproject.org/wiki/Auto_Membership_Design


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrixonline.com
http://www.citrixonline.com

More information about the Freeipa-devel mailing list