On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote:
> On Fri, 16 Sep 2011, Dmitri Pal wrote:
> > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
> > > On 09/15/2011 09:59 PM, Dmitri Pal wrote:
> > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote:
> > >>> Hi,
> > >>>
> > >>> Is there a custom script hook for when a user account is added using
> > >>> either the cli, webui, or the winsync module?
> > >>>
> > >>> I have a custom script I run when creating a user account, and having
> > >>> this run automatically by IPA would make my life a lot easier.
> > >>>
> > >>>
> > >> Can you describe what kind of operations you need to do?
> > >> Have you looked at the automembership plugin?
> > >>
> > >
> > > I'm doing a SSH login on to a filer, creating a home folder ZFS
> > > dataset for the new user, setting quota and ACL on the newly created
> > > dataset, and adding files from a skeleton folder into the home folder.
> > >
> > 
> > It might be a stupid question but... you seem to do all the operation
> > described above on the filer. I am not quite clear what part of it, if
> > any, needs to be run on the server side, I mean on the IPA. Or you
> > actually want to be able to create an account on the server side and
> > make it trapped and send the event to the filer and run a script there?
> > 
> > We can't do it now. AFAIR there was a ticket about something like this
> > in the deferred bucket... Could not find it... But I remember a discussion.
> > We might need to file a ticket to track this but sound like something
> > that will take a lot of time to accomplish.
> Attached untested patch is a proof of concept. If /etc/ipa/server.conf 
> has following setting:
> ipa_user_script=/path/to/script
> then during add/delete/modify of an user, it will be called with 
> add/del/mod as first parameter and user's dn as second. Result of 
> the call is ignored but return from IPA server is blocked by the 
> execution so be quick in ipa_user_script!

As a proof of concept sounds nice, but as is this would be bad, as
changes to /etc/ipa/server.conf are not replicated through all masters.
So a change on one server would require manual synchronization to all
others or users create from one server will trigger something while
users create through another will trigger something else.

Also the issue is that this script is run as the apache user so you'd
have to give that user access as root (passwordless private ssh key ?

For things like this I think we should provide a more sophisticated
mechanism in many ways, maybe we should discuss on freeipa-devel


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to