[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP

[John Dennis]

I appreciate Simo's concern for authorization and audit in this process, 
we must solve that problem. If I understand the proposal correctly it's 
akin to recording a macro that can be replayed. The framework executes 
as normal but instead of issuing the LDAP modify commands we record 
them. Then after the entire command completes we send the recorded 
operations back to 389DS in some form Did I understand this correctly? 
If so I'm very much against the idea of sending JSON back to 389DS to 
execute the totality of the operation. Why? It either breaks or has the 
potential to break our entire processing model, pre and post operations, 
validity checks (e.g. querying the current state) user supplied plugins, 
etc. I could see this working in some limited cases which might give you 
the illusion it would work. But the only robust general solution I think 
we can sign up for supporting is to use the API commands we designed, 
period. Anything else just seems like a nightmare scenario of corner cases.

Therefore I think the proposal of watching something (yet to be 
determined), calling our API commands, and then cleaning up the watched 
entity afterwards is the best approach. Figuring out how to 
authenticate/authorize/audit this is the primary challenge, a challenge 
far more manageable then trying to subvert the framework with every 
known and unknown risk that introduces. It's hard enough as it is 
assuring our documented API works correctly. Our API is the only thing I 
think we can realistically commit to supporting.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/