[Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

Petr Vobornik pvoborni at redhat.com
Tue Sep 1 11:27:40 UTC 2015 

On 08/27/2015 05:17 AM, Mateusz Małek wrote:
> Hi everyone,
>
> We're trying to adjust FreeIPA to our environment... quite a bit. Here
> are some bullet points:
>
> 1. User home directory location is dependent on user primary group and
> its value should be autogenerated on user creation.
> 2. User administrator should be able to select user account type (its
> primary group) in some user-friendly way from pre-determined list of
> possible choices - without the need to remember GID number associated
> with each account type.
> 3. Passwords need to be generated automatically, so user administrator
> won't be required to invent them for every single user. It should appear
> on-screen after user account creation.
> 4. If username was not provided, it should also be generated using some
> pre-determined method. It also should be shown after creating new user.
> 5. Some user accounts have an expiration date and need to be renewed
> every year. User administrator should be able to extend user account
> validity with single mouse-click in Web UI (with additional click for
> confirmation prompt, probably).
> 6. Many user account attributes are not in use in our environment - they
> should be hidden in Web UI to avoid confusion (for example job title in
> search view).
>
> And probably the most important thing: *all these things have to been
> done without modifying files installed from RPM package* - we are using
> ipa-server from CentOS 7 repositories and we don't want things to break
> on update.
>
> Point 1 was easy one - we used additional script in ipalib/plugins and
> user_add.register_pre_callback to hook into user account creation
> process. We also use this hook to assign gidNumber based on "User class"
> specified in account creation form in Web UI (point 2).
> Unfortunately, I have trouble with point 4 - uid attribute is specified
> in takes_params with default_from=lambda givenname, sn: givenname[0] +
> sn and when hook gets called, entry is already filled with this default
> value. How can I override this behavior? Is it at least possible to
> distinguish (in hook code) between value generated using default_from
> and value manually typed into account creation form? (It seems that
> default value is also checked for duplicates before calling hook - this
> still needs to be overriden, as it will prevent our usernames generator
> from even getting called.)
>
> For points 3, 5, 6 and to limit available choices in 2, we need to plug
> into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/
> provided us with some basic info how to write plugins.

Glad to read that the plugin support is used. Especially in this scale.

I'd like to ask you for a feedback. What are the main things that would 
make extending IPA easier for you?

  I've copied
> pre-minified freeipa/user.js file and turned it into a plugin.
> However, I face some issues when I register my module under different
> entity name instead of overriding user (I want to keep original user
> module available)

Just curious, why do you want to keep the original user entity object?

  - reg.entity.register({type: 'new-user', spec:
> exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command
> 'user_find' takes at most 1 argument".

> It seems that check if (that.entity !== that.managed_entity) in
> freeipa/search.js fails (condition is true), which causes
> managed_entity_pkey_prefix function to return [""] instead of [] -
> object inspection shows both entity and managed_entity refer to user
> entity, but probably these are two different JS objects (and thats why
> they are considered different). Am I doing something wrong or is it some
> bug?

There is no claim that it should  work so I would say that it is a 
limitation of original design and unfinished refactoring than a bug. The 
code can be improved to support multiple entity objects for the same IPA 
object but I'm worried that it can break something else.

Maybe simple comparison by an entity name would help.

>
> Best regards
> Mateusz Małek
>
> Intelligent Information Systems Group
> Department of Computer Science
> AGH University of Science and Technology, Kraków, Poland
>
-- 
Petr Vobornik

More information about the Freeipa-users mailing list