[Freeipa-users] Add user -> custom script

Wed Sep 21 18:30:03 UTC 2011

On 09/19/2011 03:42 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>>
>>
>> On Fri, September 16, 2011 23:18, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>
>>>> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote:
>>>>
>>>>> On Fri, 16 Sep 2011, Dmitri Pal wrote:
>>>>>
>>>>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
>>>>>>
>>>>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote:
>>>>>>>
>>>>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Is there a custom script hook for when a user account is added 
>>>>>>>>> using
>>>>>>>>> either the cli, webui, or the winsync module?
>>>>>>>>>
>>>>>>>>> I have a custom script I run when creating a user account, and 
>>>>>>>>> having
>>>>>>>>> this run automatically by IPA would make my life a lot easier.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Can you describe what kind of operations you need to do?
>>>>>>>> Have you looked at the automembership plugin?
>>>>>>>>
>>>>>>>>
>>>>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS
>>>>>>> dataset for the new user, setting quota and ACL on the newly 
>>>>>>> created dataset, and adding
>>>>>>> files from a skeleton folder into the home folder.
>>>>>>>
>>>>>> It might be a stupid question but... you seem to do all the 
>>>>>> operation
>>>>>> described above on the filer. I am not quite clear what part of 
>>>>>> it, if any, needs to be run
>>>>>> on the server side, I mean on the IPA. Or you actually want to be 
>>>>>> able to create an account
>>>>>> on the server side and make it trapped and send the event to the 
>>>>>> filer and run a script
>>>>>> there?
>>>>>>
>>>>>> We can't do it now. AFAIR there was a ticket about something like 
>>>>>> this
>>>>>> in the deferred bucket... Could not find it... But I remember a 
>>>>>> discussion. We might need to
>>>>>> file a ticket to track this but sound like something that will 
>>>>>> take a lot of time to
>>>>>> accomplish.
>>>>> Attached untested patch is a proof of concept. If 
>>>>> /etc/ipa/server.conf
>>>>> has following setting:
>>>>>
>>>>> ipa_user_script=/path/to/script
>>>>>
>>>>> then during add/delete/modify of an user, it will be called with 
>>>>> add/del/mod as first
>>>>> parameter and user's dn as second. Result of the call is ignored 
>>>>> but return from IPA server is
>>>>> blocked by the execution so be quick in ipa_user_script!
>>>>>
>>>>
>>>> I got the patch installed OK, env variable set, and the script is 
>>>> being
>>>> run when do user modifications. Great! :) But the action 
>>>> (add/del/mod) and the dn is not being
>>>> supplied as arguments.
>>>>
>>>> For testing's sake I've made a very simple script just to capture the
>>>> env variables.
>>>>
>>>> Do you have any suggestion to why the arguments is not getting 
>>>> supplied
>>>> to the script?
>>>>
>>>>
>>>> #!/bin/bash
>>>>
>>>>
>>>> echo "a:$1 u:$2">>  /tmp/ipa_custom_$$ env>>  /tmp/ipa_custom_$$
>>>
>>> The ipautil.run invocation should be:
>>>
>>>
>>> ipautil.run([self.api.env.ipa_user_script,"add", dn])
>>>
>>> In other words, the whole thing needs to be in the list.
>>>
>>>
>>> Note that a cleaner way of adding this without having to modify
>>> ipa-provided files would be to write an extension plugin that does 
>>> this (untested):
>>>
>>>
>>> from ipalib.plugins.user import user_add
>>>
>>> def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, 
>>> **options): inst.log.info('User
>>> added') if 'ipa_user_script' in inst.api.env: try:
>>> ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except:
>>> pass
>>>
>>> return dn
>>>
>>> user_add.register_post_callback(script_post_add_callback)
>>>
>>> Stick that into a file and drop it into the directory with the other
>>> plugins and restart Apache and that should do it.
>>>
>>> rob
>>>
>>
>> I reverted the patched user.py file back to tbe unpatched user.py file.
>>
>> I called the script you provided custom.py, and I've tried copying it to
>> /usr/lib/python2.7/site-packages/ipalib/plugins and
>> /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted 
>> httpd and tomcat6. Now the
>> script is not called anymore.
>>
>> Should the script be put anywhere else? Anything I didnt do?
>>
>>
>>
> It needs to be in ipalib/plugins.
>
> Add:
>
> from ipapython import ipautil

Works perfectly! Thanks! :)