[Freeipa-users] Web UI plugins or other extensions

Dmitri Pal dpal at redhat.com
Wed Feb 25 17:02:58 UTC 2015 

On 02/25/2015 09:53 AM, Petr Vobornik wrote:
> On 02/25/2015 09:12 AM, Hugh wrote:
>> All,
>>
>> We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS
>> 6.5. We've set up synching between our IPA and AD and that seems to be
>> working. What we'd like to do now is allow admins when they're creating
>> users in IPA to be able to set those users up for synching to AD with
>> the web UI without having to drop to the command line or edit LDAP
>> directly. As you know, in order to synch from IPA->AD, you need to add
>> the ntuser objectclass and the ntUserDomainId and ntUserCreateNewAccount
>> attributes. However, those attributes/class are not in the web UI by
>> defauly and from what I can see, our version of ipa-server/DS does not
>> have support for web UI plugins. Is that true? Is there any way to be
>> able to set a user to be synched via the web UI?
>>
>> Thanks,
>>
>> Hugh
>>
>
> Hello Hugh,
>
> it could be done in 3.0 by direct manipulation of 
> /usr/share/ipa/ui/user.js Doing that is ugly and breaks on rpm 
> upgrades. IIUC, the goal would be to simulate CLI (API)call:
>
>   $ ipa user-mod bbar --addattr='objectclass=ntuser' 
> --setattr='ntUserDomainId=foo'--setattr='ntUserDomainId=True'
>
> Adding ntUserDomainId and ntUserDomainId is easy - it's just one 
> declaration in the list of fields.  But adding the objectclass isn't,
>
> Current pattern is that the object classes(which are not added by 
> default) are added in ipalib backend plugin if attribute is present in 
> the mod list for the first time for the object.
>
> I would discourage to do that in Web UI. But in theory it can be done. 
> One has to add multivalued field named objectclass and then he can add 
> new ones and delete others. But this is bad UX. Better would be to add 
> the objecclass attr on demand on update but it requires direct 
> modification of update code which is more difficult (don't know it 
> from top of my head).
>
> HTH

But let us step back and ask the question why do you need to create the 
users you sync manually first?
The users in a specific OU will be synced anyways without you manually 
creating them in IPA.
So this is unclear why the whole thing is actually needed.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list