[Freeipa-users] Add user -> custom script
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Sep 16 15:43:21 UTC 2011
On 09/16/2011 01:53 PM, Simo Sorce wrote:
> On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote:
>> On Fri, 16 Sep 2011, Dmitri Pal wrote:
>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote:
>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Is there a custom script hook for when a user account is added using
>>>>>> either the cli, webui, or the winsync module?
>>>>>>
>>>>>> I have a custom script I run when creating a user account, and having
>>>>>> this run automatically by IPA would make my life a lot easier.
>>>>>>
>>>>>>
>>>>> Can you describe what kind of operations you need to do?
>>>>> Have you looked at the automembership plugin?
>>>>>
>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS
>>>> dataset for the new user, setting quota and ACL on the newly created
>>>> dataset, and adding files from a skeleton folder into the home folder.
>>>>
>>> It might be a stupid question but... you seem to do all the operation
>>> described above on the filer. I am not quite clear what part of it, if
>>> any, needs to be run on the server side, I mean on the IPA. Or you
>>> actually want to be able to create an account on the server side and
>>> make it trapped and send the event to the filer and run a script there?
>>>
>>> We can't do it now. AFAIR there was a ticket about something like this
>>> in the deferred bucket... Could not find it... But I remember a discussion.
>>> We might need to file a ticket to track this but sound like something
>>> that will take a lot of time to accomplish.
>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf
>> has following setting:
>>
>> ipa_user_script=/path/to/script
>>
>> then during add/delete/modify of an user, it will be called with
>> add/del/mod as first parameter and user's dn as second. Result of
>> the call is ignored but return from IPA server is blocked by the
>> execution so be quick in ipa_user_script!
> As a proof of concept sounds nice, but as is this would be bad, as
> changes to /etc/ipa/server.conf are not replicated through all masters.
> So a change on one server would require manual synchronization to all
> others or users create from one server will trigger something while
> users create through another will trigger something else.
>
> Also the issue is that this script is run as the apache user so you'd
> have to give that user access as root (passwordless private ssh key ?
> brrr).
>
> For things like this I think we should provide a more sophisticated
> mechanism in many ways, maybe we should discuss on freeipa-devel
I manage my environment with CFengine, so distributing a few patches and
files does not bother me. :)
Actually, in my specific case the script does not have to do more than
write the username(s) to a file, and CFengine can pick up the file and
do the rest of the job for me. No root access required for the apache
server. :)
Rgds,
Siggi
More information about the Freeipa-users
mailing list