[Freeipa-devel] FreeIPA Auto Membership CLI
Dmitri Pal
dpal at redhat.com
Thu Jun 2 17:00:20 UTC 2011
On 06/02/2011 11:39 AM, JR Aquino wrote:
> I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin...
>
> Currently, the output looks like this:
>
> ---=== EXAMPLE ===---
> [root at auth2 ~]# ipa clarityrule-show testrule --all
> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
> Clarity Rule: testrule
> Membership filter: objectclass=ipaHost
> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
> Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com,
> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com
> Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com
> automembergroupingattr: member:dn
> automemberscope: dc=expertcity,dc=com
> objectclass: top, automemberdefinition
> ---=== EXAMPLE ===---
>
> Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match.
>
> As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info.
>
> Perhaps a breakout with indentation for each unique group defined in each rule?
>
> ---===SUGGESTION===---
> [root at auth2 ~]# ipa clarityrule-show testrule --all
> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com
> Clarity Rule: testrule
> Membership filter: objectclass=ipaHost
> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com
> Inclusive Regex:
> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
> FrontEnd: fqdn=^web[1-9]+.example.com,
> MainSite: fqdn=^www[1-9]+.example.com
> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com
> SMTP: fqdn=^mail[1-9]+.example.com,
> Exclusive Regex:
> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
> blacklist: www5:fqdn=^www5\.example\.com
> automembergroupingattr: member:dn
> automemberscope: dc=expertcity,dc=com
> objectclass: top, automemberdefinition
> ---===SUGGESTION===---
>
This presentation assumes that the description is not empty.
In general case it is not true so I would suggest fixed labels even if
the values would have duplicates.
Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
Description:
Regex: fqdn=^web[1-9]+.example.com
-----
Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com
Description:
Regex: fqdn=^mail[1-9]+.example.com
-----
Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
Description:
Regex: fqdn=^www[1-9]+.example.com
-----
Keep the indent that you proposed, it looks OK with the indent.
> Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost
>
> The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group.
>
> Then the object is compared against the inclusive rules to determine if there is a match.
> If there is a match, the object is added to the group defined in the matching rule.
> If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition.
>
> You can view the design document here for more details on the how the rules are represented within the raw directory.
> http://directory.fedoraproject.org/wiki/Auto_Membership_Design
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T: +1 805.690.3478
> jr.aquino at citrixonline.com
> http://www.citrixonline.com
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list