[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
John Dennis
jdennis at redhat.com
Thu Feb 14 04:30:46 UTC 2013
On 02/13/2013 10:40 PM, Nathan Kinder wrote:
> With the DS plug-in approach that calls into the IPA framework with a
> 'mock add' to form the resulting entry at the pre-op stage, we could
> take care of the initial ADD operation of the user entry. We would
> still need to have a way to trigger the additional write operations that
> the IPA framework performs. The proposed DS plug-in could do an
> internal search operation after the add, then it could perform the
> additional write operations that are needed. This logic would need to
> be in the DS plug-in, or we would need another way to get the details
> from the IPA framework via JSON. The approach begins to get a bit messy.
Messy is one word for it :-) Herein lies the problem. user-add is
actually a simple case where in this particular version of our code we
know the LDAP operations that occur and in what order. But there is
nothing in our coding guidelines that guarantees this, it just happens
to be true today. Pre and post callbacks are free to do as they please.
The logic in our ldap module can change (in fact it's undergoing a
rewrite as we speak). We've committed to supporting an extension
mechanism (plugins) that ties into the framework operations and who
knows what might occur in that code. At the moment it's not used, but
hopefully it will be.
Then comes the question, where do we draw the line? Do we say only
user-add with no additional options is supported because we know what
occurs during it's processing and hence we feel safe emulating user-add
outside the framework?
We all know this is a slippery slope, as soon as you support user-add
this way we'll be getting requests to support other commands or other
options. And after we make framework changes (which we do frequently)
are we going to test these out-of-band operations continue to emulate
the ever changing framework?
It's a slippery slope that can expose us to problems we don't need.
Jenny, do you want to test an entirely different mechanism or do you
want to limit it to our defined API?
We have a defined API, I really think that's the only thing we should
support. Backdoor shortcuts that sidestep our framework should be off
the table IMHO, it's just inviting too many problems.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list