[Freeipa-users] Add user -> custom script
Rob Crittenden
rcritten at redhat.com
Fri Sep 16 12:45:11 UTC 2011
Alexander Bokovoy wrote:
> On Fri, 16 Sep 2011, Simo Sorce wrote:
>> As a proof of concept sounds nice, but as is this would be bad, as
>> changes to /etc/ipa/server.conf are not replicated through all masters.
>> So a change on one server would require manual synchronization to all
>> others or users create from one server will trigger something while
>> users create through another will trigger something else.
>>
>> Also the issue is that this script is run as the apache user so you'd
>> have to give that user access as root (passwordless private ssh key ?
>> brrr).
>> For things like this I think we should provide a more sophisticated
>> mechanism in many ways, maybe we should discuss on freeipa-devel
> Sure. I only wanted to show how large is amount of work to hook
> something in. You can treat my POC as means to provoke discussion. :)
Well, ideally we'd integrate this into the baseclasses so any plugin
could use it. I'd probably either read the script name out of LDAP or we
would require a plugin extension to do it. LDAP is probably
lower-hanging fruit.
At one point Nalin suggested using oddjob to do the privilege escalation
but I never really followed up.
rob
More information about the Freeipa-users
mailing list