[Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment
Rob Crittenden
rcritten at redhat.com
Thu Aug 27 13:18:06 UTC 2015
Mateusz Małek wrote:
> Hi everyone,
>
> We're trying to adjust FreeIPA to our environment... quite a bit. Here
> are some bullet points:
>
> 1. User home directory location is dependent on user primary group and
> its value should be autogenerated on user creation.
> 2. User administrator should be able to select user account type (its
> primary group) in some user-friendly way from pre-determined list of
> possible choices - without the need to remember GID number associated
> with each account type.
> 3. Passwords need to be generated automatically, so user administrator
> won't be required to invent them for every single user. It should appear
> on-screen after user account creation.
The ability is there on the CLI (don't know if it is exposed in UI):
$ ipa user-add --first=random --last=user ruser --random
------------------
Added user "ruser"
------------------
User login: ruser
First name: random
...
Random password: Gu8VpULbb9xv
...
rob
> 4. If username was not provided, it should also be generated using some
> pre-determined method. It also should be shown after creating new user.
> 5. Some user accounts have an expiration date and need to be renewed
> every year. User administrator should be able to extend user account
> validity with single mouse-click in Web UI (with additional click for
> confirmation prompt, probably).
> 6. Many user account attributes are not in use in our environment - they
> should be hidden in Web UI to avoid confusion (for example job title in
> search view).
>
> And probably the most important thing: *all these things have to been
> done without modifying files installed from RPM package* - we are using
> ipa-server from CentOS 7 repositories and we don't want things to break
> on update.
>
> Point 1 was easy one - we used additional script in ipalib/plugins and
> user_add.register_pre_callback to hook into user account creation
> process. We also use this hook to assign gidNumber based on "User class"
> specified in account creation form in Web UI (point 2).
> Unfortunately, I have trouble with point 4 - uid attribute is specified
> in takes_params with default_from=lambda givenname, sn: givenname[0] +
> sn and when hook gets called, entry is already filled with this default
> value. How can I override this behavior? Is it at least possible to
> distinguish (in hook code) between value generated using default_from
> and value manually typed into account creation form? (It seems that
> default value is also checked for duplicates before calling hook - this
> still needs to be overriden, as it will prevent our usernames generator
> from even getting called.)
>
> For points 3, 5, 6 and to limit available choices in 2, we need to plug
> into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/
> provided us with some basic info how to write plugins. I've copied
> pre-minified freeipa/user.js file and turned it into a plugin.
> However, I face some issues when I register my module under different
> entity name instead of overriding user (I want to keep original user
> module available) - reg.entity.register({type: 'new-user', spec:
> exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command
> 'user_find' takes at most 1 argument".
> It seems that check if (that.entity !== that.managed_entity) in
> freeipa/search.js fails (condition is true), which causes
> managed_entity_pkey_prefix function to return [""] instead of [] -
> object inspection shows both entity and managed_entity refer to user
> entity, but probably these are two different JS objects (and thats why
> they are considered different). Am I doing something wrong or is it some
> bug?
>
> Best regards
> Mateusz Małek
>
> Intelligent Information Systems Group
> Department of Computer Science
> AGH University of Science and Technology, Kraków, Poland
>
More information about the Freeipa-users
mailing list