[Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

Thu Aug 27 03:17:18 UTC 2015

Hi everyone,

We're trying to adjust FreeIPA to our environment... quite a bit. Here 
are some bullet points:

1. User home directory location is dependent on user primary group and 
its value should be autogenerated on user creation.
2. User administrator should be able to select user account type (its 
primary group) in some user-friendly way from pre-determined list of 
possible choices - without the need to remember GID number associated 
with each account type.
3. Passwords need to be generated automatically, so user administrator 
won't be required to invent them for every single user. It should appear 
on-screen after user account creation.
4. If username was not provided, it should also be generated using some 
pre-determined method. It also should be shown after creating new user.
5. Some user accounts have an expiration date and need to be renewed 
every year. User administrator should be able to extend user account 
validity with single mouse-click in Web UI (with additional click for 
confirmation prompt, probably).
6. Many user account attributes are not in use in our environment - they 
should be hidden in Web UI to avoid confusion (for example job title in 
search view).

And probably the most important thing: *all these things have to been 
done without modifying files installed from RPM package* - we are using 
ipa-server from CentOS 7 repositories and we don't want things to break 
on update.

Point 1 was easy one - we used additional script in ipalib/plugins and 
user_add.register_pre_callback to hook into user account creation 
process. We also use this hook to assign gidNumber based on "User class" 
specified in account creation form in Web UI (point 2).
Unfortunately, I have trouble with point 4 - uid attribute is specified 
in takes_params with default_from=lambda givenname, sn: givenname[0] + 
sn and when hook gets called, entry is already filled with this default 
value. How can I override this behavior? Is it at least possible to 
distinguish (in hook code) between value generated using default_from 
and value manually typed into account creation form? (It seems that 
default value is also checked for duplicates before calling hook - this 
still needs to be overriden, as it will prevent our usernames generator 
from even getting called.)

For points 3, 5, 6 and to limit available choices in 2, we need to plug 
into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ 
provided us with some basic info how to write plugins. I've copied 
pre-minified freeipa/user.js file and turned it into a plugin.
However, I face some issues when I register my module under different 
entity name instead of overriding user (I want to keep original user 
module available) - reg.entity.register({type: 'new-user', spec: 
exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command 
'user_find' takes at most 1 argument".
It seems that check if (that.entity !== that.managed_entity) in 
freeipa/search.js fails (condition is true), which causes 
managed_entity_pkey_prefix function to return [""] instead of [] - 
object inspection shows both entity and managed_entity refer to user 
entity, but probably these are two different JS objects (and thats why 
they are considered different). Am I doing something wrong or is it some 
bug?

Best regards
Mateusz Małek

Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology, Kraków, Poland