[Freeipa-users] Web UI plugins or other extensions

Thu Feb 26 00:18:33 UTC 2015

On 02/25/2015 05:39 PM, Hugh wrote:
> On 2/25/2015 3:11 PM, Dmitri Pal wrote:
>> I think you can start with adding ntUser object class into the list of
>> the object classes in the IPA configuration in UI. That would apply it
>> to the new entries automatically.
> How is that done? I'd rather not have to tweak the package files, since
> that will cause upgrades to be problematic, as you and Petr said.
Log into UI. Go to IPA Server -> Configuration.
See default user objectclasses, add a new one: ntUser.
Save configuration. Add a new user in UI or command line. Check his 
object classes with --raw using command line. Is should now that an 
entry has a new object class applied to it.

But I just checked the schema
objectClasses: ( 2.16.840.1.113730.3.2.8 NAME 'ntUser' DESC 'Netscape 
defined objectclass' SUP top MUST ( ntUserDomainId ) MAY ( description $ 
l $ ou $ seeAlso $ ntUserPriv $ ntUserHomeDir $ ntUserComment $ 
ntUserFlags $ ntUserScriptPath $ ntUserAuthFlags $ ntUserUsrComment $ 
ntUserParms $ ntUserWorkstations $ ntUserLastLogon $ ntUserLastLogoff $ 
ntUserAcctExpires $ ntUserMaxStorage $ ntUserUnitsPerWeek $ 
ntUserLogonHours $ ntUserBadPwCount $ ntUserNumLogons $ 
ntUserLogonServer $ ntUserCountryCode $ ntUserCodePage $ ntUserUniqueId 
$ ntUserPrimaryGroupId $ ntUserProfile $ ntUserHomeDirDrive $ 
ntUserPasswordExpired $ ntUserCreateNewAccount $ ntUserDeleteAccount $ 
ntUniqueId) X-ORIGIN 'Netscape NT Synchronization' )

ntUserDomainId is a required attribute so IPA will be broken.
To overcome it you might want to make it non mandatory i.e.

objectClasses: ( 2.16.840.1.113730.3.2.8 NAME 'ntUser' DESC 'Netscape 
defined objectclass' SUP top MAY ( ntUserDomainId $ description $ l $ ou 
$ seeAlso $ ntUserPriv $ ntUserHomeDir $ ntUserComment $ ntUserFlags $ 
ntUserScriptPath $ ntUserAuthFlags $ ntUserUsrComment $ ntUserParms $ 
ntUserWorkstations $ ntUserLastLogon $ ntUserLastLogoff $ 
ntUserAcctExpires $ ntUserMaxStorage $ ntUserUnitsPerWeek $ 
ntUserLogonHours $ ntUserBadPwCount $ ntUserNumLogons $ 
ntUserLogonServer $ ntUserCountryCode $ ntUserCodePage $ ntUserUniqueId 
$ ntUserPrimaryGroupId $ ntUserProfile $ ntUserHomeDirDrive $ 
ntUserPasswordExpired $ ntUserCreateNewAccount $ ntUserDeleteAccount $ 
ntUniqueId) X-ORIGIN 'Netscape NT Synchronization' )

It can be found in the 50ns-directory.ldif

>
>> If that does not work it is probably a bug. If it works you will have
>> the object class right there.
>>
>> Next step is creating attributes
>> - ntUserDomainId - I wonder whether it can be auto-populated using
>> managed entry or CoS configuration in DS. If that works it will be a
>> config change rather than a code change which means it will survive
>> upgrades (most likely).
>> - ntUserCreateNewAccount - should be set to true AFAIU and I wonder if
>> it can be set to true using same managed entry or CoS mechanism.
>>
>> I am not saying that would work but that might work and would avoid
>> doing code changes.
> I couldn't find any decent documentation on managed entries or class of
> service functionality. Can you point me in the right direction?

http://directory.fedoraproject.org/docs/389ds/howto/howto-classofservice.html
http://www.port389.org/docs/389ds/design/managed-entry-design.html

But a quick look does not seem to render what we need to do here.

So here is a workaround.

Create a script that will using CLI. List all the users that have ntUser 
object class but do not have ntUserDomainId set.
If you find such entries set proper attributes using ipa user-mod command.

Run it as a cron job every 5 min or so.

You can also make it smarter in future to deal with your special cases.
For example if your special users follow some naming convention you can 
instead of adding attributes strip the object class.

This is the best I was able to come up with :-)
>
>> If you willing to do code changes than it should be possible to just
>> update the user plugin to autopopulate the entries with these
>> attributes. But that would definitely blow up during upgrade.
> Yeah, that's pretty far down on the list of options for this project.
> But, you never know ...
>
> Hugh
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.