[Freeipa-devel] User life cycle: question regarding the design

thierry bordaz tbordaz at redhat.com
Thu May 22 07:51:10 UTC 2014 

On 05/21/2014 09:06 PM, Martin Kosek wrote:
> On 05/21/2014 08:14 PM, Simo Sorce wrote:
>> On Wed, 2014-05-21 at 16:01 +0200, thierry bordaz wrote:
>>> Hello,
>>>
>>>      Thanks for all these detailed descriptions.
>>>      Just to be sure to be on the same page, here is my 
>>> understanding of
>>>      the provisioning templates and placeholder definitions. An
>>>      administrator can provide a provisioning template. I suppose it
>>>      would be a file containing a lines of placeholder definitions.
>>>
>>>        * Where is located the template file ? Is there a standard
>>>          repository where templates are put ? (somewhere under 
>>> /etc/ipa/* ?)
>>
>> FreeIPA is a multi-master system, a file stored in a file would be
>> extremely cumbersome to use as it would require the admin to manually
>> copy it for every new replica and then keep it in sync.
>> It would also make it hard to change 'on-line'.
>>
>> Placeholders should be defined in an object similar to
>> cn=ipaConfig,cn=etc,$suffix
>>
>>>        * Is there an already defined syntax for the provisionning
>>>          template. ('$' is separator attr/value, %{<attr>} is 
>>> substitute
>>>          pattern...). If not, is it possible to user ':<space> ' as
>>>          separator ?
>>
>> Using initial and final ? like in Martin's example doesn't work ?
>>
>>>        * What is the priority. The user can provide the 'homeDirectory'
>>>          through different methods. Is it ok to use the following 
>>> order:
>>>            o the CLI option
>>>            o the provisionning template
>>>            o the default config value (in cn=ipaConfig,cn=etc,$SUFFIX)
>>>
>>>      For example, if it exists the provisioning template:
>>>      /etc/ipa/provisioning/shell-user.template
>>>
>>>          roomnumber$-2
>>>          homeDirectory$/home/net/shell-%{uid}
>>>          loginShell$?shell-plugin-autogenerate?
>>
>> I do not understand this, we are not building a templating engine here,
>> you only have 2 options:
>> 1) a required (MUST) attribute has an explicit value
>> 2) a require (MUST) attribute has a placeholder value
>>
>> the placeholder value is fixed per type, and what it is substituted with
>> uses the same rules as the current code uses to autogenerate values.
>>
>>>      the command: ipa user-add tuser
>>>      --homedir=/tmp/tuser--roomnumber=1234 --to-stage would create a
>>>      staging entry:
>>>
>>>      dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
>>>      ...
>>>      roomNumber: 1234
>>>      homeDirectory: /tmp/tuser
>>>      loginShell: shell-plugin-autogenerate
>>
>> loginShell is a MAY attribute, not a MUST attribute, so nothing should
>> be stored at all in the staged entry unless explicitly provided for by
>> the admin.
>>
>>>      Then a private DS plugin (catching shell-plugin-autogenerate)
>>>      generate the loginShell value when the entry becomes active.
>>>
>>>
>>>      the command: ipa user-add tuser --homedir=/tmp/tuser--to-stage 
>>> would
>>>      create a staging entry:
>>>
>>>      dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
>>>      ...
>>>      roomNumber: -2
>>>      homeDirectory: /tmp/tuser
>>>      loginShell: shell-plugin-autogenerate
>>
>> roomNumber is also a MAY, so what would cause it to be set at -2, and
>> why ?
>>
>>>      the command: ipa user-add tuser --to-stage would create a 
>>> staging entry:
>>>
>>>      dn: uid=tuser,cn=staged users,cn=provisioning,$SUFFIX
>>>      ...
>>>      roomNumber: -2
>>>      homeDirectory: /home/net/shell-tuser
>>>      loginShell: shell-plugin-autogenerate
>>
>> homeDirectory should be something like: ?placeholder? IMO, we do not
>> really want to play templating here.
>>
>>>      In case the provisioning template does not define 'homeDirectory',
>>>      then the created entry would take the value from the ipa config
>>>      definition:
>>
>> that value should be taken and applied at the time the user is unstaged
>> and brought in the actual tree, not at the time a user is staged.
>>
>> HTH,
>> Simo.
>>
>
> Hello Thierry and Simo,
>
> I think Thierry was confused with this part of the design:
>
> "
> This format of placeholders gives enough space for future 
> enhancements. For example, Administrator could configure a new 
> template "myhomedirtemplate$/home/net/%{uid}" and use it in the staged 
> LDAP entry. Such value would be replaced by "/home/net/tuser if user 
> uid attribute is set to tuser
> "
>
> My intention when writing this design was to enable future use of 
> configurable placeholders, i.e. a value "?someplaceholder?" could be 
> turn into "/custom/path/%{uid}". But I meant that this can be 
> considered as a future enhancement. For now, I think implementing a 
> placeholder "-1" for numerical values and "?autogenerate?" for string 
> ones a good start.
>
> Martin
Hello Martin and Simo,

    Thanks for your feedbacks. I liked the idea of configurable
    placeholders and I was thinking it already existed a kind of
    template engine that I had to follow. Now I understand that in  a
    first step, I have to make it run only with  '-1|?autogenerate?'
    placeholders and for MUST attribute only. Sorry for the confusion.

    Thierry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/2d44ba4e/attachment.htm>

More information about the Freeipa-devel mailing list