On ti, 23 tammi 2018, Bryce Larson via FreeIPA-users wrote:
I thought I should let everyone know what ended up happening with this.  It 
turns out
that the script is now run as the ipaapi user instead of as root (like it 
either used to
or I thought it used to).  We changed permissions on some files that the script 
needed
and now it works again.
Ok, good to know. IPA framework never ran as root as it was part of
apache process tree and that ran as 'httpd' user in past. With 4.5 and
later we implemented privilege separation where the framework runs under
'ipaapi' user and the rest of Apache has no access to its data while
'ipaapi' has no access to the Apache's keytab -- neither Apache itself,
gssproxy handles the magic.

You can read more details at https://vda.li/en/docs/freeipa-debug-privsep/


On Fri, Jan 12, 2018 at 08:51:38PM +0200, Alexander Bokovoy wrote:
On pe, 12 tammi 2018, Bryce Larson via FreeIPA-users wrote:
> We have function that are supposed to be called in a plugin from a 
post_callback
>
> It's registered with:
>
> user.user_add.register_post_callback(useradd_postcallback)
>
> The plugin is at 
/usr/lib/python2.7/site-packages/ipaserver/plugins/csAccount.py
>
> It doesn't seem to be called at all, it used to.  I'm not sure if it
> was upgrading from 4.3 to 4.4, or from 4.4 to 4.5 that it stopped
> working, but I think it was the upgrade from 4.4 to 4.5.  I'm pretty
> sure the pre_callback is still working.
>
> Does anyone know why a post_callback would just stop working after upgrading?
It should be working. Current code to call post callbacks didn't change
for quite few years.

ipaserver/plugins/baseldap.py:

class LDAPCreate:
   ....
   def execute(...)
       ....
       for callback in self.get_callbacks('post'):
           entry_attrs.dn = callback(
               self, ldap, entry_attrs.dn, entry_attrs, *keys, **options)


Looking at get_callbacks(), it is implemented this way, the code was
moved around in 2016 but it is basically the same as it was before:

   @classmethod
   def get_callbacks(cls, callback_type):
       """Yield callbacks of the given type"""
       # Use one shared callback registry, keyed on class, to avoid problems
       # with missing attributes being looked up in superclasses
       callbacks = _callback_registry.get(callback_type, {}).get(cls, [None])
       for callback in callbacks:
           if callback is None:
               try:
                   yield getattr(cls, '%s_callback' % callback_type)
               except AttributeError:
                   pass
           else:
               yield callback

where callback type is either 'pre', 'post', or 'exc', so if
pre-callbacks are working, then post-callbacks should work as well
because the are called in the same way.

You can enable server-side debugging (add 'debug=True') to
/etc/ipa/default.conf or to /etc/ipa/server.conf (the latter would
affect only server, the former would affect CLI too).

I just tested this with RHEL 7.4 with the plugin below:

----------------------------------------------------------------------
from ipaserver.plugins import user
import logging

def my_post_callback(self, ldap, dn, entry_attrs, *keys, **options):
   logging.error("my_post_callback called with dn={}".format(dn))
   return dn

user.user_add.register_post_callback(my_post_callback)
-----------------------------------------------------------------------

[root@rh72s ~]# ipa user-add my_foo_bar3
First name: Test
Last name: Bar3
------------------------
Added user "my_foo_bar3"
------------------------
 User login: my_foo_bar3
 First name: Test
 Last name: Bar3
 Full name: Test Bar3
 Display name: Test Bar3
 Initials: TB
 Home directory: /home/my_foo_bar3
 GECOS: Test Bar3
 Login shell: /bin/sh
 Principal name: my_foo_b...@t.ipa.cool
 Principal alias: my_foo_b...@t.ipa.cool
 Email address: my_foo_b...@t.ipa.cool
 UID: 129000016
 GID: 129000016
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False

Here is what I've got in the httpd's error_log:

ERROR:root:my_post_callback called with 
dn=uid=my_foo_bar3,cn=users,cn=accounts,dc=t,dc=ipa,dc=cool
[Fri Jan 12 20:49:16.013460 2018] [:error] [pid 7404] ipa: INFO: 
[jsonserver_session] ad...@t.ipa.cool: user_add/1(u'my_foo_bar3', 
givenname=u'Test', sn=u'Bar3', version=u'2.228'): SUCCESS

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to