[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP

[Simo Sorce]

On Wed, 2013-02-13 at 10:57 -0700, Rich Megginson wrote:

> > Rich,
> > is there potential from deadlocking here due to the new transaction
> > stuff ? Or can we single out this plugin to run before *any*
> transaction
> > is started ?

> If you do this in a "regular" pre-op, not a "betxn" pre-op, then it 
> should be fine. 

Ok in this case we should be able to create a regular pre-op plugin to
intercept the ldap add call and then use the following flow:
client --(LDAP)--> 389DS --(HTTP/json)--> framework --(LDAP)--> add

So no deadlocks will happen, the remaining issue is how to make sure we
do not loop by mistake in the second add.

One way could be to have loop detection so that if more then two (1.
original, 2. framework) adds for the same DN come in we just return
errors. Another way is to use a special objectclass as I proposed in the
thread and make sure the framework explictly blacklists it so that it
can never try to send an add with the special oc even by mistake or user
misconfiguration.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York