[Freeipa-devel] Community Portal Milestone

[Drew Erny]

Hey, Freeipa, same thread new subtopic.

So, I was bouncing some ideas around with another developer (ayoung) and 
I think I have a pretty good idea for self-service user registration.

The idea is that I put self-service user registration into its own 
application that calls out to ipa user-add after getting admin approval.

Workflow goes like this:

1.) User goes to registration page, inputs details into form. 
Registration page and application are not part of FreeIPA.
2.) User's registration goes into a non-FreeIPA database, something like 
SQLite.
3.) Admin gets a notification email with a link to approve/deny 
registration.
     A.) Admin clicks approval link, registration application (which has 
limited privileges) makes call out to ipa user-add command, adding the 
new user to FreeIPA.
     B.) Admin click deny link, user is not added.
4.) User's registration information, approved or denied, is deleted from 
the external database.

This has a couple of advantages. For starters, it provides a layer of 
protection against the creation of spam accounts. Accounts do not add 
directly to LDAP (inserting to LDAP is a slow operation), instead sit in 
intermediate area waiting approval. Second, we don't have to write a big 
extension to ipa user-add or staginguser-add that allows anonymous 
access to that command. Third, it can be bundled into its own package 
and given to the community separate from FreeIPA proper. Finally, it 
would allow me to gracefully defer becoming buried up to my neck in 
D-Bus notifications and whatever other fanciness we want to send email, 
because FreeIPA won't be sending the email.

Opinions?