[Freeipa-devel] [RFE] Support for automember rebuild membership

Nathan Kinder nkinder at redhat.com
Fri Sep 13 16:22:40 UTC 2013 

On 09/13/2013 01:48 AM, Martin Kosek wrote:
> On 09/12/2013 07:59 PM, Ana Krivokapic wrote:
>> Hello,
>>
>> The design document for $SUBJECT can be found at:
>> http://www.freeipa.org/page/V3/Automember_rebuild_membership
>>
>> Related tickets:
>> https://fedorahosted.org/freeipa/ticket/3752
>> https://fedorahosted.org/freeipa/ticket/3928
>>
>> Thoughts, comments, questions welcome.
>>
> Besides membership reset discussion happening in second thread I other comments.
>
> 1) I think we should also design permission&ACIs for the automember rebuild
> task creation (cn=automember rebuild membership,cn=tasks,cn=config container).
> You can talk to Petr3 about that as he is current working on redesigning ACIs.
> Just so that you are in sync.
>
> 2) About the "Implementation" part and "automember rebuild membership"
>
> I do not think this is good approach. I do not know how do you plan doing the
> confirmation
>
> I do not think this workflow would work with our framework. We do not have
> support for confirming except if you would implement it in
> interactive_prompt_callback. But then the functionality would not be available
> for Web UI.
>
> I would rather add an option --dry-run or --test for all new automember
> commands which would return how would the updated entry look like. BTW, did the
> automember export updates task work for you? I tried this LDIF and
> /tmp/automember.ldif was empty:
>
> dn: cn=my export task 1, cn=automember export updates,cn=tasks,cn=config
> changetype: add
> objectClass: top
> objectClass: extensibleObject
> cn: my export task 1
> basedn: cn=accounts,dc=example,dc=com
> filter: (uid=*)
> scope: sub
> ldif: /tmp/automember.ldif
>
> Adding Mark to CC in case if he has any advise for utilizing the export task in
> FreeIPA.
You forgot to CC Mark. :)  I've added him to the thread.

-NGK
>
> By the way, using this approach I think we would also hit issues with
> permissions on the resulting LDIF, given it is created by DS and would be read
> by Apache. SELinux would be complaining as well. To sum it up, I am not sure
> this will be that easy and straightforward.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list