On 09/16/2011 02:45 PM, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Fri, 16 Sep 2011, Simo Sorce wrote:
As a proof of concept sounds nice, but as is this would be bad, as
changes to /etc/ipa/server.conf are not replicated through all masters.
So a change on one server would require manual synchronization to all
others or users create from one server will trigger something while
users create through another will trigger something else.
Also the issue is that this script is run as the apache user so you'd
have to give that user access as root (passwordless private ssh key ?
For things like this I think we should provide a more sophisticated
mechanism in many ways, maybe we should discuss on freeipa-devel
Sure. I only wanted to show how large is amount of work to hook
something in. You can treat my POC as means to provoke discussion. :)
Well, ideally we'd integrate this into the baseclasses so any plugin
could use it. I'd probably either read the script name out of LDAP or
we would require a plugin extension to do it. LDAP is probably
At one point Nalin suggested using oddjob to do the privilege
escalation but I never really followed up.
Having the variable for what script to run in the LDAP would sure be
nice. Just modify Alex's script to read from LDAP instead. Job done. :)
Freeipa-users mailing list