<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/21/2014 09:06 PM, Martin Kosek
wrote:<br>
</div>
<blockquote cite="mid:537CF952.60301@redhat.com" type="cite">On
05/21/2014 08:14 PM, Simo Sorce wrote:
<br>
<blockquote type="cite">On Wed, 2014-05-21 at 16:01 +0200, thierry
bordaz wrote:
<br>
<blockquote type="cite">Hello,
<br>
<br>
Thanks for all these detailed descriptions.
<br>
Just to be sure to be on the same page, here is my
understanding of
<br>
the provisioning templates and placeholder definitions.
An
<br>
administrator can provide a provisioning template. I
suppose it
<br>
would be a file containing a lines of placeholder
definitions.
<br>
<br>
* Where is located the template file ? Is there a
standard
<br>
repository where templates are put ? (somewhere under
/etc/ipa/* ?)
<br>
</blockquote>
<br>
FreeIPA is a multi-master system, a file stored in a file would
be
<br>
extremely cumbersome to use as it would require the admin to
manually
<br>
copy it for every new replica and then keep it in sync.
<br>
It would also make it hard to change 'on-line'.
<br>
<br>
Placeholders should be defined in an object similar to
<br>
cn=ipaConfig,cn=etc,$suffix
<br>
<br>
<blockquote type="cite"> * Is there an already defined
syntax for the provisionning
<br>
template. ('$' is separator attr/value,
%{<attr>} is substitute
<br>
pattern...). If not, is it possible to user
':<space> ' as
<br>
separator ?
<br>
</blockquote>
<br>
Using initial and final ? like in Martin's example doesn't work
?
<br>
<br>
<blockquote type="cite"> * What is the priority. The user
can provide the 'homeDirectory'
<br>
through different methods. Is it ok to use the
following order:
<br>
o the CLI option
<br>
o the provisionning template
<br>
o the default config value (in
cn=ipaConfig,cn=etc,$SUFFIX)
<br>
<br>
For example, if it exists the provisioning template:
<br>
/etc/ipa/provisioning/shell-user.template
<br>
<br>
roomnumber$-2
<br>
homeDirectory$/home/net/shell-%{uid}
<br>
loginShell$?shell-plugin-autogenerate?
<br>
</blockquote>
<br>
I do not understand this, we are not building a templating
engine here,
<br>
you only have 2 options:
<br>
1) a required (MUST) attribute has an explicit value
<br>
2) a require (MUST) attribute has a placeholder value
<br>
<br>
the placeholder value is fixed per type, and what it is
substituted with
<br>
uses the same rules as the current code uses to autogenerate
values.
<br>
<br>
<blockquote type="cite"> the command: ipa user-add tuser
<br>
--homedir=/tmp/tuser--roomnumber=1234 --to-stage would
create a
<br>
staging entry:
<br>
<br>
dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
<br>
...
<br>
roomNumber: 1234
<br>
homeDirectory: /tmp/tuser
<br>
loginShell: shell-plugin-autogenerate
<br>
</blockquote>
<br>
loginShell is a MAY attribute, not a MUST attribute, so nothing
should
<br>
be stored at all in the staged entry unless explicitly provided
for by
<br>
the admin.
<br>
<br>
<blockquote type="cite"> Then a private DS plugin (catching
shell-plugin-autogenerate)
<br>
generate the loginShell value when the entry becomes
active.
<br>
<br>
<br>
the command: ipa user-add tuser
--homedir=/tmp/tuser--to-stage would
<br>
create a staging entry:
<br>
<br>
dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
<br>
...
<br>
roomNumber: -2
<br>
homeDirectory: /tmp/tuser
<br>
loginShell: shell-plugin-autogenerate
<br>
</blockquote>
<br>
roomNumber is also a MAY, so what would cause it to be set at
-2, and
<br>
why ?
<br>
<br>
<blockquote type="cite"> the command: ipa user-add tuser
--to-stage would create a staging entry:
<br>
<br>
dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
<br>
...
<br>
roomNumber: -2
<br>
homeDirectory: /home/net/shell-tuser
<br>
loginShell: shell-plugin-autogenerate
<br>
</blockquote>
<br>
homeDirectory should be something like: ?placeholder? IMO, we do
not
<br>
really want to play templating here.
<br>
<br>
<blockquote type="cite"> In case the provisioning template
does not define 'homeDirectory',
<br>
then the created entry would take the value from the ipa
config
<br>
definition:
<br>
</blockquote>
<br>
that value should be taken and applied at the time the user is
unstaged
<br>
and brought in the actual tree, not at the time a user is
staged.
<br>
<br>
HTH,
<br>
Simo.
<br>
<br>
</blockquote>
<br>
Hello Thierry and Simo,
<br>
<br>
I think Thierry was confused with this part of the design:
<br>
<br>
"
<br>
This format of placeholders gives enough space for future
enhancements. For example, Administrator could configure a new
template "myhomedirtemplate$/home/net/%{uid}" and use it in the
staged LDAP entry. Such value would be replaced by
"/home/net/tuser if user uid attribute is set to tuser
<br>
"
<br>
<br>
My intention when writing this design was to enable future use of
configurable placeholders, i.e. a value "?someplaceholder?" could
be turn into "/custom/path/%{uid}". But I meant that this can be
considered as a future enhancement. For now, I think implementing
a placeholder "-1" for numerical values and "?autogenerate?" for
string ones a good start.
<br>
<br>
Martin
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hello Martin and Simo,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Thanks for
your feedbacks. I liked the idea of configurable placeholders
and I was thinking it already existed a kind of template engine
that I had to follow. Now I understand that in a first step, I
have to make it run only with '-1|?autogenerate?' placeholders
and for MUST attribute only. Sorry for the confusion.<br>
<br>
Thierry<br>
</font></blockquote>
</body>
</html>