[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP

[Rich Megginson]

On 02/14/2013 01:59 AM, Petr Viktorin wrote:
> On 02/13/2013 07:11 PM, Simo Sorce wrote:
>> On Wed, 2013-02-13 at 10:57 -0700, Rich Megginson wrote:
>>
>>>> Rich,
>>>> is there potential from deadlocking here due to the new transaction
>>>> stuff ? Or can we single out this plugin to run before *any*
>>> transaction
>>>> is started ?
>>
>>> If you do this in a "regular" pre-op, not a "betxn" pre-op, then it
>>> should be fine.
>>
>> Ok in this case we should be able to create a regular pre-op plugin to
>> intercept the ldap add call and then use the following flow:
>> client --(LDAP)--> 389DS --(HTTP/json)--> framework --(LDAP)--> add
>>
>> So no deadlocks will happen, the remaining issue is how to make sure we
>> do not loop by mistake in the second add.
>>
>> One way could be to have loop detection so that if more then two (1.
>> original, 2. framework) adds for the same DN come in we just return
>> errors. Another way is to use a special objectclass as I proposed in the
>> thread and make sure the framework explictly blacklists it so that it
>> can never try to send an add with the special oc even by mistake or user
>> misconfiguration.
>>
>
> And a third way is a separate LDAP tree.
>
> I'm not familiar with what DS plugins can do. Can we craft one that 
> intercepts all read operations on "cn=HR tree,$SUFFIX" and does them 
> on "cn=users,cn=accounts,$SUFFIX" instead (using that tree's 
> permissions), and forwards all write operations on "cn=HR tree" to IPA 
> via JSON?
Yes.
>
>
> A fourth way is a proxy/gateway, essentially the same but with a 
> separate server.
>