To summarize, I think this is how we will proceed.
Create a new plugin, automember, based heavily on the work already done.
The container_dn will be cn=automember,cn=etc. If automembership is
preferred I can be flexible but using the same name everywhere makes
things easy to follow.
The DN will be of the form: cn=<rule>,cn=<type>,<container_dn>,<base_dn>
The pre-defined automembership types (as defined by the type enumerator)
will be group and hostgroup. The current LDIF will need to drop the
plurality (to become cn=group,cn=automember,cn=etc,$SUFFIX)
type is required for all commands.
The available commands will be:
automember-add Add an automember rule
--type=ENUM (hostgroup, group)
--desc=STR description of this auto membership rule
--inclusive-regex=LIST Inclusive Regex
--exclusive-regex=LIST Exclusive Regex
automember-add-condition Add conditions to automember rule
--type=ENUM (hostgroup, group)
--inclusive-regex=LIST Inclusive Regex
--exclusive-regex=LIST Exclusive Regex
automember-del Delete an automember rule
--type=ENUM (hostgroup, group)
automember-find Search for automember rules
--type=ENUM (hostgroup, group)
automember-mod Modify an automember rule.
--type=ENUM (hostgroup, group)
--desc=STR
NOTE: you cannot manage inclusive or exclusive conditions via the mod
command, the helpers need to be used.
automember-remove-condition Remove conditions from an automember rule
--type=ENUM (hostgroup, group)
--inclusive-regex=LIST Inclusive Regex
--exclusive-regex=LIST Exclusive Regex
automember-show Display an automember rule
--type=ENUM (hostgroup, group)
automember-default-group Set a default group for auto membership
--type=ENUM (hostgroup, group)
--name=STR Name of entity to put entries that don't match
The current patch is really not very far off of this. Off the top of my
head this is how I'd go about it:
- freeipa.spec needs to have a Requires on 1.2.9, not a BuildRequires
(though it doesn't hurt for them to be the same)
- automembership.ldif, change the container and cns
- constants.py, change the container
- copy the clarity code from hostgroup.py to automember.py and rename
everything
- add flags=[no_update, no_create] to automemberinclusiveregex and
automemberexclusiveregex.
- replace group_dn() with a function dn_exists(). Use the type objects
get_dn() to construct a dn and call ldap.get_entry() on it. Something like:
class automember(LDAPObject):
def dn_exists(type, groupname):
ldap = self.api.Backend.ldap2
dn = self.api.Object[type].get_dn(groupname)
try:
(gdn, entry_attrs) = ldap.get_entry(dn, [])
except errors.NotFound:
self.obj.handle_not_found(groupname)
return gdn
- Use symbol names instead of a typle of attr names
- Do some sort of validation on the regex. I'm not sure if the python re
engine will match the 389-ds one but we should be able to do some sanity
checks, like making sure the regex doesn't start with attr = ...
- The setting of entry_attrs now looks something like:
entry_attrs[attr] = ['fqdn=' + condition ...
Since this will be generic it will need to look like:
entry_attrs[attr] = ['%s' % self.api.Object[type].primary_key.name +
condition ...
- tests will need to be updated. I think that using the newer test
format such as in test_user_plugin.py is easier to create and manage in
the long-run and covers more ground that the older method.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel