[Freeipa-users] Auto membership plugin

Mon Apr 11 15:27:31 UTC 2011

On 04/08/2011 09:07 AM, Dmitri Pal wrote:
> On 04/08/2011 11:49 AM, JR Aquino wrote:
>> Is there any way to capture a description associated with the regex ->  group mapping?
>>
>> I was thinking that after time, it would be important to look back on rules and know why they were put there.
>>
>> Particularly in the case of regex, since it may not be completely obvious by looking back at alphabet soup.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
> The more I think about current design the more I want to normalize things.
> I would rather instead of:
>
> dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> objectclass: autoMemberDefinition
> autoMemberScope: dc=example,dc=com
> autoMemberFilter: objectclass=ipaHost
> autoMemberExclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www5\.example\.com
> autoMemberInclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www[1-9]+\.example\.com
> autoMemberInclusiveRegex: cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^web[1-9]+\.example\.com
> autoMemberInclusiveRegex: cn=mailservers,cn=hostgroups,dc=example,dc=com:fqdn=^mail[1-9]+\.example\.com
> autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com
> autoMemberGroupingAttr: member:dn
>
>
> Have something like:
>
> dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> objectclass: autoMemberDefinition
> objectclass: cnContainer
> autoMemberScope: dc=example,dc=com
> autoMemberFilter: objectclass=ipaHost
> autoMemberRegexRule: cn=Webserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> autoMemberRegexRule: cn=Mailserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> autoMemberRegexRule: cn=Desktop exclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com
> autoMemberGroupingAttr: member:dn
>
>
> dn: cn=Webserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
> objectclass: autoMemberDefinitionRegexRule
> cn: Webserver Inclusion Rule
> description: Rule contains regular expression to include webserver hosts into the webserver group.
> include: yes<- include or exclude
> memberGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
> arrtibuteToMath: fgdn
> expressionToMatch: ^www[1-9]+\.example\.com
>
>
> Or something along those lines...
It's a nice logical layout, but it would be hard for an administrator to 
figure out what exactly would happen if they were to add a host with a 
specific hostname.  Since the config is spread over so many entries, one 
would have to look at the top level config entry to find each rule DN, 
fetch each rule DN to look at the regexes.  All of the information is so 
spread out that you can't just look in one place to see the rules that 
will be used.  This could make things difficult from a troubleshooting 
perspective.

The description issue is a tough one to deal with if we have the config 
in the form that is currently described in the design doc.  Since we 
want a description per regex rule, we should need to make the 
description be a part of the regex rule value instead of a separate 
description attribute.  I don't necessarily like this approach, as the 
readability of the config will not be nice.