[Freeipa-devel] [RFC] Creating a new plugin to make it simpler to add users via LDAP
Petr Viktorin
pviktori at redhat.com
Thu Feb 14 15:29:35 UTC 2013
On 02/14/2013 04:22 PM, Rich Megginson wrote:
> On 02/14/2013 01:59 AM, Petr Viktorin wrote:
>> On 02/13/2013 07:11 PM, Simo Sorce wrote:
>>> On Wed, 2013-02-13 at 10:57 -0700, Rich Megginson wrote:
>>>
>>>>> Rich,
>>>>> is there potential from deadlocking here due to the new transaction
>>>>> stuff ? Or can we single out this plugin to run before *any*
>>>> transaction
>>>>> is started ?
>>>
>>>> If you do this in a "regular" pre-op, not a "betxn" pre-op, then it
>>>> should be fine.
>>>
>>> Ok in this case we should be able to create a regular pre-op plugin to
>>> intercept the ldap add call and then use the following flow:
>>> client --(LDAP)--> 389DS --(HTTP/json)--> framework --(LDAP)--> add
>>>
>>> So no deadlocks will happen, the remaining issue is how to make sure we
>>> do not loop by mistake in the second add.
>>>
>>> One way could be to have loop detection so that if more then two (1.
>>> original, 2. framework) adds for the same DN come in we just return
>>> errors. Another way is to use a special objectclass as I proposed in the
>>> thread and make sure the framework explictly blacklists it so that it
>>> can never try to send an add with the special oc even by mistake or user
>>> misconfiguration.
>>>
>>
>> And a third way is a separate LDAP tree.
>>
>> I'm not familiar with what DS plugins can do. Can we craft one that
>> intercepts all read operations on "cn=HR tree,$SUFFIX" and does them
>> on "cn=users,cn=accounts,$SUFFIX" instead (using that tree's
>> permissions), and forwards all write operations on "cn=HR tree" to IPA
>> via JSON?
> Yes.
Then I recommend doing this. It avoids problems with delegation (the
"real" tree permissions are used) and looping (plugin and IPA write to
separate trees). Other operations (deletes, mods) can be either
similarly delegated to the "real" tree, or passed through IPA if we want
to do that in the future. Problems with replication can be solved by
just not replicating the separate tree.
It also doesn't pollute core IPA with special cases, which is what
worries me.
--
Petr³
More information about the Freeipa-devel
mailing list