[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
Rob Crittenden
rcritten at redhat.com
Wed Feb 13 16:44:39 UTC 2013
Simo Sorce wrote:
> On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
>> Our own post-callback assumes the user is already in LDAP, and who
>> knows what user-supplied callbacks will do. Keep in mind IPA is
>> plugable; at least for outside plugins' sake (if not our own sanity's)
>> we should keep the number of code paths to a minimum.
>
> True which is why my proposal is to not use the standard user-add RPC
> call, but have a separate one.
>
> This separate call would only call the core business logic to create the
> user account add operation, but none of the external plumbing.
>
> Ideally we spit the framework flow like this:
>
> Normal user -> Real user-add --- . . . . . . . . . --- LDAP add
> \ /
> -- common logic --
> / \
> 389ds plugin -> Mock user-add -- . . . . . . . . . --- json reply
>
>
> custom plugins should be called in the custom logic an operate on the
> object before the ADD is attempted.
>
> If we do it this way then most of the code path will be in common which
> is what we want, and only the mechanical operation of adding the actual
> object to ldap will be different.
>
> Simo.
>
There is one missing a few steps. A plugin execution looks like:
Normal user -> Real user-add --- pre-op call(s) --- execute (LPAP add
record) --- post-op call(s) which may do additional add/modify
It is the postop calls that would be the problem. They assume that the
entry has already been written (so, for example, it has a valid
UID/GID/ipaUniqueId, etc).
rob
More information about the Freeipa-devel
mailing list