[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
John Dennis
jdennis at redhat.com
Wed Feb 13 17:40:53 UTC 2013
I appreciate Simo's concern for authorization and audit in this process,
we must solve that problem. If I understand the proposal correctly it's
akin to recording a macro that can be replayed. The framework executes
as normal but instead of issuing the LDAP modify commands we record
them. Then after the entire command completes we send the recorded
operations back to 389DS in some form Did I understand this correctly?
If so I'm very much against the idea of sending JSON back to 389DS to
execute the totality of the operation. Why? It either breaks or has the
potential to break our entire processing model, pre and post operations,
validity checks (e.g. querying the current state) user supplied plugins,
etc. I could see this working in some limited cases which might give you
the illusion it would work. But the only robust general solution I think
we can sign up for supporting is to use the API commands we designed,
period. Anything else just seems like a nightmare scenario of corner cases.
Therefore I think the proposal of watching something (yet to be
determined), calling our API commands, and then cleaning up the watched
entity afterwards is the best approach. Figuring out how to
authenticate/authorize/audit this is the primary challenge, a challenge
far more manageable then trying to subvert the framework with every
known and unknown risk that introduces. It's hard enough as it is
assuring our documented API works correctly. Our API is the only thing I
think we can realistically commit to supporting.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list