Simo Sorce wrote:
On Wed, 2013-02-13 at 16:12 +0100, Petr Viktorin wrote:
Our own post-callback assumes the user is already in LDAP, and who
knows what user-supplied callbacks will do. Keep in mind IPA is
plugable; at least for outside plugins' sake (if not our own sanity's)
we should keep the number of code paths to a minimum.


True which is why my proposal is to not use the standard user-add RPC
call, but have a separate one.

This separate call would only call the core business logic to create the
user account add operation, but none of the external plumbing.

Ideally we spit the framework flow like this:

Normal user -> Real user-add --- . . . . . . . . .  --- LDAP add
                                 \                  /
                                  -- common logic --
                                 /                  \
389ds plugin -> Mock user-add -- . . . . . . . . .  --- json reply


custom plugins should be called in the custom logic an operate on the
object before the ADD is attempted.

If  we do it this way then most of the code path will be in common which
is what we want, and only the mechanical operation of adding the actual
object to ldap will be different.

Simo.


There is one missing a few steps. A plugin execution looks like:

Normal user -> Real user-add --- pre-op call(s) --- execute (LPAP add record) --- post-op call(s) which may do additional add/modify

It is the postop calls that would be the problem. They assume that the entry has already been written (so, for example, it has a valid UID/GID/ipaUniqueId, etc).

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to