[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
Petr Viktorin
pviktori at redhat.com
Wed Feb 13 17:16:57 UTC 2013
On 02/13/2013 05:57 PM, Simo Sorce wrote:
> On Wed, 2013-02-13 at 11:44 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
>>>> Our own post-callback assumes the user is already in LDAP, and who
>>>> knows what user-supplied callbacks will do. Keep in mind IPA is
>>>> plugable; at least for outside plugins' sake (if not our own sanity's)
>>>> we should keep the number of code paths to a minimum.
>>>
>>> True which is why my proposal is to not use the standard user-add RPC
>>> call, but have a separate one.
>>>
>>> This separate call would only call the core business logic to create the
>>> user account add operation, but none of the external plumbing.
>>>
>>> Ideally we spit the framework flow like this:
>>>
>>> Normal user -> Real user-add --- . . . . . . . . . --- LDAP add
>>> \ /
>>> -- common logic --
>>> / \
>>> 389ds plugin -> Mock user-add -- . . . . . . . . . --- json reply
>>>
>>>
>>> custom plugins should be called in the custom logic an operate on the
>>> object before the ADD is attempted.
>>>
>>> If we do it this way then most of the code path will be in common which
>>> is what we want, and only the mechanical operation of adding the actual
>>> object to ldap will be different.
>>>
>>> Simo.
>>>
>>
>> There is one missing a few steps. A plugin execution looks like:
>>
>> Normal user -> Real user-add --- pre-op call(s) --- execute (LPAP add
>> record) --- post-op call(s) which may do additional add/modify
>>
>> It is the postop calls that would be the problem. They assume that the
>> entry has already been written (so, for example, it has a valid
>> UID/GID/ipaUniqueId, etc).
>
> Why are they done after the add ? It seem dangerous.
This comment from the user-add post-op plugin should explain:
# Fetch the entry again to update memberof, mep data, etc updated
# at the end of the transaction.
Some processing happens in DS plugins, we can't get the data if the
object isn't added yet.
> What happens id the first ldap add succeed and the post op fails ?
>
> We should exceute the ldap call after the post ops are perfomed imho.
>
--
Petr³
More information about the Freeipa-devel
mailing list