[Freeipa-devel] External plugin integration
Martin Basti
mbasti at redhat.com
Fri Aug 5 12:08:43 UTC 2016
On 05.08.2016 13:58, Alexander Bokovoy wrote:
> On Fri, 05 Aug 2016, Martin Basti wrote:
>>
>>
>> On 04.08.2016 17:49, Alexander Bokovoy wrote:
>>> Hi!
>>>
>>> I've stumbled into an interesting problem.
>>>
>>> Suppose, I have a plugin that adds schema and a subtree where
>>> entries it
>>> manages will be stored. This subtree will have ACIs applied based on
>>> the
>>> plugin permissions' configuration. Now, I put schema file in
>>> /usr/ipa/share, and updates file in /usr/share/ipa/updates, and also
>>> add
>>> plugin code to the ipaserver/plugins/ (let's say, rpm does it for me).
>>> Next, I want to install IPA server. The install will run through up to
>>> server upgrade phase which will fail because generation of ACIs will
>>> reference schema attributes/classes which aren't loaded to the
>>> dirsrv by
>>> installer. How to solve it?
>>> Installer uses hard-coded list of schema files and this is a
>>> third-party
>>> plugin, it needs to extend the list of active schema files.
>>>
>>> If we can define a place where third-party plugins could drop schema
>>> and
>>> we just load everything from there before processing updates, it would
>>> probably be enough.
>>>
>>
>> TLDR: you don't without modifications in current IPA code, or it will
>> be huge hack
> So far all I needed are following modifications which really boil down
> to:
> - introduce /usr/share/ipa/schema.d to hold third-party schema files
> - add support to read the schema files from /usr/share/ipa/schema.d
> to dsintance upgrade step and to ipa-server-upgrade
>
> That's all. Since I'm adding a new directory, I needed to update
> Makefile.am and install/configure.ac which requires regeneration of
> Makefile/configure files. You'd need to remove install/Makefile and run
> 'make bootstrap-autogen' to make sure the install/Makefile is recreated
> and install/share/schema.d/Makefile is created.
>
>> I think, this is a part of "Support of 3rd party plugins" effort, but
>> it has not been designed yet. I would like to avoid any ad-hoc solution.
>> Maybe we should create a desing page and gathering requirements, you
>> have a lot of them already :).
> I'm working on the whole package for FleetCommander integration and I'll
> produce a howto based on it. So far, there was no need to have anything
> dramatic.
>
You introduced a new convention,
+Each schema file should be named NN-description.schema where NN is a
number 00..90.
Currently all LDAP schema files are *.ldif, why do not stay with this
naming?
Martin^2
More information about the Freeipa-devel
mailing list