[Freeipa-users] Add user -> custom script

Rob Crittenden rcritten at redhat.com
Fri Sep 16 21:18:00 UTC 2011 

Sigbjorn Lie wrote:
> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote:
>> On Fri, 16 Sep 2011, Dmitri Pal wrote:
>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote:
>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Is there a custom script hook for when a user account is added using
>>>>>> either the cli, webui, or the winsync module?
>>>>>>
>>>>>> I have a custom script I run when creating a user account, and having
>>>>>> this run automatically by IPA would make my life a lot easier.
>>>>>>
>>>>>>
>>>>> Can you describe what kind of operations you need to do?
>>>>> Have you looked at the automembership plugin?
>>>>>
>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS
>>>> dataset for the new user, setting quota and ACL on the newly created
>>>> dataset, and adding files from a skeleton folder into the home folder.
>>>>
>>> It might be a stupid question but... you seem to do all the operation
>>> described above on the filer. I am not quite clear what part of it, if
>>> any, needs to be run on the server side, I mean on the IPA. Or you
>>> actually want to be able to create an account on the server side and
>>> make it trapped and send the event to the filer and run a script there?
>>>
>>> We can't do it now. AFAIR there was a ticket about something like this
>>> in the deferred bucket... Could not find it... But I remember a
>>> discussion.
>>> We might need to file a ticket to track this but sound like something
>>> that will take a lot of time to accomplish.
>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf
>> has following setting:
>>
>> ipa_user_script=/path/to/script
>>
>> then during add/delete/modify of an user, it will be called with
>> add/del/mod as first parameter and user's dn as second. Result of
>> the call is ignored but return from IPA server is blocked by the
>> execution so be quick in ipa_user_script!
>>
>
> I got the patch installed OK, env variable set, and the script is being
> run when do user modifications. Great! :) But the action (add/del/mod)
> and the dn is not being supplied as arguments.
>
> For testing's sake I've made a very simple script just to capture the
> env variables.
>
> Do you have any suggestion to why the arguments is not getting supplied
> to the script?
>
>
> #!/bin/bash
>
> echo "a:$1 u:$2" >> /tmp/ipa_custom_$$
> env >> /tmp/ipa_custom_$$

The ipautil.run invocation should be:

ipautil.run([self.api.env.ipa_user_script,"add", dn])

In other words, the whole thing needs to be in the list.

Note that a cleaner way of adding this without having to modify 
ipa-provided files would be to write an extension plugin that does this 
(untested):

from ipalib.plugins.user import user_add

def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options):
     inst.log.info('User added')
     if 'ipa_user_script' in inst.api.env:
         try:
             ipautil.run([inst.api.env.ipa_user_script,"add", dn])
         except:
              pass

     return dn

user_add.register_post_callback(script_post_add_callback)

Stick that into a file and drop it into the directory with the other 
plugins and restart Apache and that should do it.

rob

More information about the Freeipa-users mailing list