[Freeipa-users] Web UI plugins or other extensions

[Petr Vobornik]

On 02/25/2015 09:12 AM, Hugh wrote:
> All,
>
> We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS
> 6.5. We've set up synching between our IPA and AD and that seems to be
> working. What we'd like to do now is allow admins when they're creating
> users in IPA to be able to set those users up for synching to AD with
> the web UI without having to drop to the command line or edit LDAP
> directly. As you know, in order to synch from IPA->AD, you need to add
> the ntuser objectclass and the ntUserDomainId and ntUserCreateNewAccount
> attributes. However, those attributes/class are not in the web UI by
> defauly and from what I can see, our version of ipa-server/DS does not
> have support for web UI plugins. Is that true? Is there any way to be
> able to set a user to be synched via the web UI?
>
> Thanks,
>
> Hugh
>

Hello Hugh,

it could be done in 3.0 by direct manipulation of 
/usr/share/ipa/ui/user.js Doing that is ugly and breaks on rpm upgrades. 
IIUC, the goal would be to simulate CLI (API)call:

   $ ipa user-mod bbar --addattr='objectclass=ntuser' 
--setattr='ntUserDomainId=foo'--setattr='ntUserDomainId=True'

Adding ntUserDomainId and ntUserDomainId is easy - it's just one 
declaration in the list of fields.  But adding the objectclass isn't,

Current pattern is that the object classes(which are not added by 
default) are added in ipalib backend plugin if attribute is present in 
the mod list for the first time for the object.

I would discourage to do that in Web UI. But in theory it can be done. 
One has to add multivalued field named objectclass and then he can add 
new ones and delete others. But this is bad UX. Better would be to add 
the objecclass attr on demand on update but it requires direct 
modification of update code which is more difficult (don't know it from 
top of my head).

HTH
-- 
Petr Vobornik