Alexander Bokovoy wrote:
On Fri, 16 Sep 2011, Simo Sorce wrote:
As a proof of concept sounds nice, but as is this would be bad, as
changes to /etc/ipa/server.conf are not replicated through all masters.
So a change on one server would require manual synchronization to all
others or users create from one server will trigger something while
users create through another will trigger something else.

Also the issue is that this script is run as the apache user so you'd
have to give that user access as root (passwordless private ssh key ?
For things like this I think we should provide a more sophisticated
mechanism in many ways, maybe we should discuss on freeipa-devel
Sure. I only wanted to show how large is amount of work to hook
something in. You can treat my POC as means to provoke discussion. :)

Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit.

At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up.


Freeipa-users mailing list

Reply via email to