[Freeipa-devel] FreeIPA Auto Membership CLI
JR Aquino
JR.Aquino at citrix.com
Thu Jun 2 15:39:24 UTC 2011
I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin...
Currently, the output looks like this:
---=== EXAMPLE ===---
[root at auth2 ~]# ipa clarityrule-show testrule --all
dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
Clarity Rule: testrule
Membership filter: objectclass=ipaHost
Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com,
cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com
Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com
automembergroupingattr: member:dn
automemberscope: dc=expertcity,dc=com
objectclass: top, automemberdefinition
---=== EXAMPLE ===---
Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match.
As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info.
Perhaps a breakout with indentation for each unique group defined in each rule?
---===SUGGESTION===---
[root at auth2 ~]# ipa clarityrule-show testrule --all
dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
Clarity Rule: testrule
Membership filter: objectclass=ipaHost
Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
Inclusive Regex:
cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
FrontEnd: fqdn=^web[1-9]+.example.com,
MainSite: fqdn=^www[1-9]+.example.com
cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com
SMTP: fqdn=^mail[1-9]+.example.com,
Exclusive Regex:
cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
blacklist: www5:fqdn=^www5\.example\.com
automembergroupingattr: member:dn
automemberscope: dc=expertcity,dc=com
objectclass: top, automemberdefinition
---===SUGGESTION===---
Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost
The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group.
Then the object is compared against the inclusive rules to determine if there is a match.
If there is a match, the object is added to the group defined in the matching rule.
If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition.
You can view the design document here for more details on the how the rules are represented within the raw directory.
http://directory.fedoraproject.org/wiki/Auto_Membership_Design
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aquino at citrixonline.com
http://www.citrixonline.com
More information about the Freeipa-devel
mailing list