On 09/16/2011 05:43 PM, Alexander Bokovoy wrote:
On Fri, 16 Sep 2011, Sigbjorn Lie wrote:
We can't do it now. AFAIR there was a ticket about something like this
in the deferred bucket... Could not find it... But I remember a discussion.
We might need to file a ticket to track this but sound like something
that will take a lot of time to accomplish.
Attached untested patch is a proof of concept. If /etc/ipa/server.conf
has following setting:
then during add/delete/modify of an user, it will be called with
add/del/mod as first parameter and user's dn as second. Result of
the call is ignored but return from IPA server is blocked by the
execution so be quick in ipa_user_script!
Excellent, thank you! I will try this!!
Make sure you read what Simo wrote about deficiencies of this solution
and in part that it runs under apache privileges. As you need to
trigger action on a different host, it might be enough but still poses
possible privilege escalation in your environment.
I sure do agree to that. :)
Freeipa-users mailing list