[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP

Dmitri Pal dpal at redhat.com
Thu Feb 14 02:18:16 UTC 2013 

On 02/13/2013 02:08 PM, Simo Sorce wrote:
> On Wed, 2013-02-13 at 13:30 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Wed, 2013-02-13 at 12:59 -0500, John Dennis wrote:
>>>> On 02/13/2013 12:53 PM, Simo Sorce wrote:
>>>>
>>>>> If we can solve the looping and potential deadlocking concerns I think
>>>>> we can avoid the json reply and let the framework do the actual final
>>>>> ldap add.
>>>> Could you elaborate on your looping and deadlock concerns? I don't see
>>>> where they would arise if what we're watching is entirely independent of
>>>> our LDAP tree.
>>> I do not understand what you are 'watching' ?
>>>
>>> Simo.
>>>
>> I think he means have a persistent search to watch for new entries and 
>> then act upon them.
> I think a 2 step approach is misguided, so I've written it off from the
> start.
>
> Simo.
>
This all thread smells like rewriting winsync by using internal plugin
and IPA framework.
Is there any chance we can use existing winsync solution to do what we
need but sync from staging instance rather than AD?
Then the flow will be:
HR system -> staging DS instance -> dirsync -> IPA
Couple assumptions:
a) We are satisfied with the security of the existing winsync solution
and authentication used there. I do not see why it should be different
here as it is a very similar use case.
b) I expect we can sync from 389 to 389 with minor config changes and
effectively no code changes
c) The users created via winsync now are created in a proper way so IPA
accepts then as IPA users

This solves the problem of add and delete of the users.
I know that winsync already supports group add/delete but we never
qualified it in IPA. So may be it is time, at least for this use case.
I would really think that this might be a lower cost solution than
writing yet another custom plugin.
Let us try to reuse what we already have.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list