[Freeipa-devel] [PATCH] 917 user automember for ipa default user

Rob Crittenden rcritten at redhat.com
Mon Jan 16 20:43:58 UTC 2012 

Martin Kosek wrote:
> On Mon, 2011-12-12 at 23:09 -0500, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Rather than manually adding users to the default ipa users group
>>> configure automember to do it for us.
>>>
>>> This was quite simple for new installs but a bit complex on upgrades so
>>> I implemented it as an update plugin.
>>>
>>> I also added a unit test for the config module. The majority of config
>>> is ignored for now. I'm afraid we'd run into too many false positives if
>>> we test each element, and most of these just store data so there isn't a
>>> lot that can go wrong.
>>>
>>> rob
>>
>> Small revision. I wasn't shipping the update plugin.
>>
>> rob
>
> I have few minor-ish issues:
>
> 0) I was thinking if this new approach for assignment of ipa default
> users is safe enough. If user accidentally mess with automember and
> modifies/deletes the default group rule, new users may be omitted from
> the default group set in IPA config. Are we sure that we are OK with
> this?

I made some stricter tests that don't allow users to manage the 
conditions of the default users group nor use an existing rule with 
conditions for the default users group.

> 1) Several tests are provided with a hard-code basedn
> (dc=greyoak,dc=com). api.env.basedn would a better choice

Ouch, fixed.

> 2) We could optimize user.py not to retrieve config from LDAP since it
> is now needed only when api.env.wait_for_attr is now. I think this may
> speedup the command a little bit:
>          ...
>          # Automember adds our user to the default group for us.
>          if self.api.env.wait_for_attr:
>              config = ldap.get_ipa_config()[1]
>              def_primary_group = config.get('ipadefaultprimarygroup')
>              newentry = wait_for_value(ldap, dn, 'memberOf',
> def_primary_group)
>              entry_from_entry(entry_attrs, newentry)
>          ...

Ok, that's a good idea. I think this path is going to go away soon 
though once we have transactions in 389-ds.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-917-2-defaultuser.patch
Type: text/x-diff
Size: 20504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120116/b2cc6cd2/attachment.bin>

More information about the Freeipa-devel mailing list