[Freeipa-users] [requirements gathering] Notification system / hooks

Petr Spacek pspacek at redhat.com
Thu Mar 10 15:34:03 UTC 2016 

On 10.3.2016 05:06, Mike Kelly wrote:
> As an admin, I want to get a notification when a user's password is rest,
> or when they update their password, so that I can disable an user who does
> not change their password a certain amount of time after it was reset.
> 
> Basically, the goal is to have a way to implement a policy like "if we
> reset your password, and you don't change it to a new one after 2 days,
> we'll lock your account" so that, say, some old email with their password
> in it is unlikely to be valid anymore.

This sounds sensible, thank you.

(re-posting to ipa-users)
For the record and other interested parties:
Please keep in mind that this is NOT intended as an audit mechanism. We
already have audit in LDAP server and audit is explicitly out of scope of this
work.

This should provide hooks so vanilla IPA as shipped in packages can be easily
integrated with third-party systems which are present all over the place.

Jan Cholasta identified few object types which he thinks are interesting from
the hook(s) perspective:
user, group, host, hostgroup, service

Current line of thinking was about adding hooks into IPA framework so we are
not risking destabilizing or slowing down the DS.

If we want to monitor generic LDAP we could use syncrepl to stay outside of
DS. As far as I understood Honza this has interesting problems because the
consumer of the notifications from LDAP would have to undestand the relations
between IPA LDAP objects etc., which can be quite complicated.

For this reason we were thinking about kind of limited approach where hooks
are called when using CLI/WebUI/API but not when direct LDAP modifications are
done.


Would that work for you?

Petr^2 Spacek

> 
> On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek <pspacek at redhat.com> wrote:
> 
>> Dear users,
>>
>> FreeIPA team is thinking about adding notification system (or 'hooks') to
>> various parts of FreeIPA.
>>
>> If you happen to know about a use-case for hook or an event you want to
>> react
>> to please let us know.
>>
>> Example:
>> - As admin, I want to call my custom script when a host is deleted. (E.g.
>> to
>> to do cleanup in our other internal systems.)
>> - As user, I want to get a notification when ...
>>
>> Be creative and let us know as soon as you find the use-case.
>>
>> Thank you very much!
>>
>>
>> BTW design page is on:
>> http://www.freeipa.org/page/V4/Notification_system
>> (but it is mostly empty at the moment).
>>
>> --
>> Petr^2 Spacek

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list