[Freeipa-devel] [PATCH] New plugin - ipa-winsync - for Windows sync support
Rob Crittenden
rcritten at redhat.com
Tue Sep 16 18:00:30 UTC 2008
Rich Megginson wrote:
> ipa-winsync is a new SLAPI plugin that allows IPA to hook into windows
> AD <-> dirsrv user addition and modification, so that it can add
> additional objectclasses and attributes required by IPA. This depends
> on an as-yet-unreleased Fedora DS windows sync api, so it won't compile
> out in the wild just yet. It also depends on the DNA plugin to
> automatically assign the uidNumber.
>
> Several plugin points have been added to the existing windows sync code
> to allow for callbacks in several places
> * just before a DS user/group entry is added to AD
> * just before an AD user/group entry is added to DS
> * just before modifications are sent in either direction
> * just before/after a total update occurs
> * just before/after an incremental update occurs
> * to get the DN of what a new DS entry synced from AD will be
>
> And others. This is how IPA uses these:
> * NOTE: for this first version, the plugin only cares about user
> entries, not groups
> * at startup, IPA reads its global config from its plugin config entry
> * when the sync agreement is created, the IPA agmt init callback is
> called with the DS subtree and the AD subtree. The DS subtree should be
> the user container (i.e. cn=users,cn=accounts,<suffix>). The IPA
> winsync plugin creates a domain specific callback object which will be
> passed back to every callback.
> * just before an init or update, the IPA winsync plugin is called. The
> plugin searches the IPA configuration entries looking for information
> like the Kerberos realm name, the list of objectclasses to add to new
> entries, the posix homeDirectory prefix, and the default gidNumber. It
> also grabs other information from the global plugin config, such as the
> list of default attributes and values to add to each user entry. It
> stores this information in the domain specific config callback object
> * windows sync code calls into ipa-winsync to get the new user DN. By
> default, ipa-winsync will "flatten" the DN. In AD it is common to have
> users grouped into OUs - IPA will "flatten" these into just the
> cn=users,cn=accounts container, and store the OUs in the OU attribute in
> the new user entry
> * windows sync code calls into ipa-winsync to add the new user - the
> callback adds the list of objectclasses and attributes if any. There
> are a couple of attributes which get special handling
> ** krbPrincipalName - this is equal to the samAccountName (== uid) '@'
> the realm name from the domain specific config
> ** homeDirectory - domain config->homedir_prefix (read from ipa config)
> '/' samAccountName (== uid)
> ** gecos - set to the cn
>
> I've created a bug to track this and to attach patch files -
> https://bugzilla.redhat.com/show_bug.cgi?id=459729
> Graphical diffs:
> https://bugzilla.redhat.com/attachment.cgi?id=314729&action=diff
> https://bugzilla.redhat.com/attachment.cgi?id=314730&action=diff
> https://bugzilla.redhat.com/attachment.cgi?id=314731&action=diff
> https://bugzilla.redhat.com/attachment.cgi?id=314732&action=diff
> https://bugzilla.redhat.com/attachment.cgi?id=314733&action=diff
>
> Raw patch files:
> https://bugzilla.redhat.com/attachment.cgi?id=314729
> https://bugzilla.redhat.com/attachment.cgi?id=314730
> https://bugzilla.redhat.com/attachment.cgi?id=314731
> https://bugzilla.redhat.com/attachment.cgi?id=314732
> https://bugzilla.redhat.com/attachment.cgi?id=314733
Some comments on the tools:
Are port, binddn, bindpw, and cacert only used with winsync? It appears
that way so we need to detect that and not ignore options that are
passed in. In other words, require --winsync if these are used.
In erase_ds_instance_data() looks like you added 64-bit support but you
are removing /usr/lib64/... and on 32-bit we remove /var/lib/... What's
the difference?
Did you mean to include the patch to not remove logs when an instance is
removed?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080916/f78dbb75/attachment.bin>
More information about the Freeipa-devel
mailing list