[Freeipa-devel] [PATCH] 917 user automember for ipa default user
Martin Kosek
mkosek at redhat.com
Mon Jan 16 14:53:10 UTC 2012
On Mon, 2011-12-12 at 23:09 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rather than manually adding users to the default ipa users group
> > configure automember to do it for us.
> >
> > This was quite simple for new installs but a bit complex on upgrades so
> > I implemented it as an update plugin.
> >
> > I also added a unit test for the config module. The majority of config
> > is ignored for now. I'm afraid we'd run into too many false positives if
> > we test each element, and most of these just store data so there isn't a
> > lot that can go wrong.
> >
> > rob
>
> Small revision. I wasn't shipping the update plugin.
>
> rob
I have few minor-ish issues:
0) I was thinking if this new approach for assignment of ipa default
users is safe enough. If user accidentally mess with automember and
modifies/deletes the default group rule, new users may be omitted from
the default group set in IPA config. Are we sure that we are OK with
this?
1) Several tests are provided with a hard-code basedn
(dc=greyoak,dc=com). api.env.basedn would a better choice
2) We could optimize user.py not to retrieve config from LDAP since it
is now needed only when api.env.wait_for_attr is now. I think this may
speedup the command a little bit:
...
# Automember adds our user to the default group for us.
if self.api.env.wait_for_attr:
config = ldap.get_ipa_config()[1]
def_primary_group = config.get('ipadefaultprimarygroup')
newentry = wait_for_value(ldap, dn, 'memberOf',
def_primary_group)
entry_from_entry(entry_attrs, newentry)
...
Martin
More information about the Freeipa-devel
mailing list