[Freeipa-users] Add user -> custom script
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Sep 16 15:50:45 UTC 2011
On 09/16/2011 02:45 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Fri, 16 Sep 2011, Simo Sorce wrote:
>>> As a proof of concept sounds nice, but as is this would be bad, as
>>> changes to /etc/ipa/server.conf are not replicated through all masters.
>>> So a change on one server would require manual synchronization to all
>>> others or users create from one server will trigger something while
>>> users create through another will trigger something else.
>>>
>>> Also the issue is that this script is run as the apache user so you'd
>>> have to give that user access as root (passwordless private ssh key ?
>>> brrr).
>>> For things like this I think we should provide a more sophisticated
>>> mechanism in many ways, maybe we should discuss on freeipa-devel
>> Sure. I only wanted to show how large is amount of work to hook
>> something in. You can treat my POC as means to provoke discussion. :)
>
> Well, ideally we'd integrate this into the baseclasses so any plugin
> could use it. I'd probably either read the script name out of LDAP or
> we would require a plugin extension to do it. LDAP is probably
> lower-hanging fruit.
>
> At one point Nalin suggested using oddjob to do the privilege
> escalation but I never really followed up.
Having the variable for what script to run in the LDAP would sure be
nice. Just modify Alex's script to read from LDAP instead. Job done. :)
Rgds,
Siggi
More information about the Freeipa-users
mailing list