[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
Simo Sorce
simo at redhat.com
Wed Feb 13 17:53:21 UTC 2013
On Wed, 2013-02-13 at 12:40 -0500, John Dennis wrote:
> I appreciate Simo's concern for authorization and audit in this process,
> we must solve that problem. If I understand the proposal correctly it's
> akin to recording a macro that can be replayed. The framework executes
> as normal but instead of issuing the LDAP modify commands we record
> them. Then after the entire command completes we send the recorded
> operations back to 389DS in some form Did I understand this correctly?
> If so I'm very much against the idea of sending JSON back to 389DS to
> execute the totality of the operation. Why? It either breaks or has the
> potential to break our entire processing model, pre and post operations,
> validity checks (e.g. querying the current state) user supplied plugins,
> etc. I could see this working in some limited cases which might give you
> the illusion it would work. But the only robust general solution I think
> we can sign up for supporting is to use the API commands we designed,
> period. Anything else just seems like a nightmare scenario of corner cases.
>
> Therefore I think the proposal of watching something (yet to be
> determined), calling our API commands, and then cleaning up the watched
> entity afterwards is the best approach. Figuring out how to
> authenticate/authorize/audit this is the primary challenge, a challenge
> far more manageable then trying to subvert the framework with every
> known and unknown risk that introduces. It's hard enough as it is
> assuring our documented API works correctly. Our API is the only thing I
> think we can realistically commit to supporting.
See my reply to Petr, it can be done the way you ask (ie framework does
the actual ldap add), the only concern I have is looping and deadlocks.
If we can solve the looping and potential deadlocking concerns I think
we can avoid the json reply and let the framework do the actual final
ldap add.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list