On Fri, 16 Sep 2011, Sigbjorn Lie wrote:
> >>We can't do it now. AFAIR there was a ticket about something like this
> >>in the deferred bucket... Could not find it... But I remember a discussion.
> >>We might need to file a ticket to track this but sound like something
> >>that will take a lot of time to accomplish.
> >Attached untested patch is a proof of concept. If /etc/ipa/server.conf
> >has following setting:
> >
> >ipa_user_script=/path/to/script
> >
> >then during add/delete/modify of an user, it will be called with
> >add/del/mod as first parameter and user's dn as second. Result of
> >the call is ignored but return from IPA server is blocked by the
> >execution so be quick in ipa_user_script!
> Excellent, thank you! I will try this!!
Make sure you read what Simo wrote about deficiencies of this solution 
and in part that it runs under apache privileges. As you need to 
trigger action on a different host, it might be enough but still poses 
possible privilege escalation in your environment.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to