[Freeipa-devel] [PATCH] New plugin - ipa-winsync - for Windows sync support

Rich Megginson rmeggins at redhat.com
Tue Sep 16 18:09:47 UTC 2008 

Rob Crittenden wrote:
> Rich Megginson wrote:
>> ipa-winsync is a new SLAPI plugin that allows IPA to hook into 
>> windows AD <-> dirsrv user addition and modification, so that it can 
>> add additional objectclasses and attributes required by IPA.  This 
>> depends on an as-yet-unreleased Fedora DS windows sync api, so it 
>> won't compile out in the wild just yet.  It also depends on the DNA 
>> plugin to automatically assign the uidNumber.
>>
>> Several plugin points have been added to the existing windows sync 
>> code to allow for callbacks in several places
>> * just before a DS user/group entry is added to AD
>> * just before an AD user/group entry is added to DS
>> * just before modifications are sent in either direction
>> * just before/after a total update occurs
>> * just before/after an incremental update occurs
>> * to get the DN of what a new DS entry synced from AD will be
>>
>> And others.  This is how IPA uses these:
>> * NOTE: for this first version, the plugin only cares about user 
>> entries, not groups
>> * at startup, IPA reads its global config from its plugin config entry
>> * when the sync agreement is created, the IPA agmt init callback is 
>> called with the DS subtree and the AD subtree.  The DS subtree should 
>> be the user container (i.e. cn=users,cn=accounts,<suffix>).  The IPA 
>> winsync plugin creates a domain specific callback object which will 
>> be passed back to every callback.
>> * just before an init or update, the IPA winsync plugin is called.  
>> The plugin searches the IPA configuration entries looking for 
>> information like the Kerberos realm name, the list of objectclasses 
>> to add to new entries, the posix homeDirectory prefix, and the 
>> default gidNumber.  It also grabs other information from the global 
>> plugin config, such as the list of default attributes and values to 
>> add to each user entry.  It stores this information in the domain 
>> specific config callback object
>> * windows sync code calls into ipa-winsync to get the new user DN.  
>> By default, ipa-winsync will "flatten" the DN.  In AD it is common to 
>> have users grouped into OUs - IPA will "flatten" these into just the 
>> cn=users,cn=accounts container, and store the OUs in the OU attribute 
>> in the new user entry
>> * windows sync code calls into ipa-winsync to add the new user - the 
>> callback adds the list of objectclasses and attributes if any.  There 
>> are a couple of attributes which get special handling
>> ** krbPrincipalName - this is equal to the samAccountName (== uid) 
>> '@' the realm name from the domain specific config
>> ** homeDirectory - domain config->homedir_prefix (read from ipa 
>> config) '/' samAccountName (== uid)
>> ** gecos - set to the cn
>>
>> I've created a bug to track this and to attach patch files - 
>> https://bugzilla.redhat.com/show_bug.cgi?id=459729
>> Graphical diffs:
>> https://bugzilla.redhat.com/attachment.cgi?id=314729&action=diff
>> https://bugzilla.redhat.com/attachment.cgi?id=314730&action=diff
>> https://bugzilla.redhat.com/attachment.cgi?id=314731&action=diff
>> https://bugzilla.redhat.com/attachment.cgi?id=314732&action=diff
>> https://bugzilla.redhat.com/attachment.cgi?id=314733&action=diff
>>
>> Raw patch files:
>> https://bugzilla.redhat.com/attachment.cgi?id=314729
>> https://bugzilla.redhat.com/attachment.cgi?id=314730
>> https://bugzilla.redhat.com/attachment.cgi?id=314731
>> https://bugzilla.redhat.com/attachment.cgi?id=314732
>> https://bugzilla.redhat.com/attachment.cgi?id=314733
>
> Some comments on the tools:
>
> Are port, binddn, bindpw, and cacert only used with winsync? It 
> appears that way so we need to detect that and not ignore options that 
> are passed in. In other words, require --winsync if these are used.
It's possible they could be used outside of winsync.
>
> In erase_ds_instance_data() looks like you added 64-bit support but 
> you are removing /usr/lib64/... and on 32-bit we remove /var/lib/... 
> What's the difference?
64-bit DS uses /usr/lib64/dirsrv/slapd-instancename - that needs to be 
erased.  /var/lib is used on both 64-bit and 32-bit
>
> Did you mean to include the patch to not remove logs when an instance 
> is removed?
I didn't know if IPA wanted to keep the logs or not.  So I put that in 
there commented out to show what else would need to be erased if you 
wanted to remove everything.  I didn't know if IPA needed to keep the 
logs around for some reason (e.g. an audit trail).
>
> rob
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080916/e65da95a/attachment.bin>

More information about the Freeipa-devel mailing list