On 02/25/2015 09:53 AM, Petr Vobornik wrote:
On 02/25/2015 09:12 AM, Hugh wrote:
All,

We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS
6.5. We've set up synching between our IPA and AD and that seems to be
working. What we'd like to do now is allow admins when they're creating
users in IPA to be able to set those users up for synching to AD with
the web UI without having to drop to the command line or edit LDAP
directly. As you know, in order to synch from IPA->AD, you need to add
the ntuser objectclass and the ntUserDomainId and ntUserCreateNewAccount
attributes. However, those attributes/class are not in the web UI by
defauly and from what I can see, our version of ipa-server/DS does not
have support for web UI plugins. Is that true? Is there any way to be
able to set a user to be synched via the web UI?

Thanks,

Hugh


Hello Hugh,

it could be done in 3.0 by direct manipulation of /usr/share/ipa/ui/user.js Doing that is ugly and breaks on rpm upgrades. IIUC, the goal would be to simulate CLI (API)call:

$ ipa user-mod bbar --addattr='objectclass=ntuser' --setattr='ntUserDomainId=foo'--setattr='ntUserDomainId=True'

Adding ntUserDomainId and ntUserDomainId is easy - it's just one declaration in the list of fields. But adding the objectclass isn't,

Current pattern is that the object classes(which are not added by default) are added in ipalib backend plugin if attribute is present in the mod list for the first time for the object.

I would discourage to do that in Web UI. But in theory it can be done. One has to add multivalued field named objectclass and then he can add new ones and delete others. But this is bad UX. Better would be to add the objecclass attr on demand on update but it requires direct modification of update code which is more difficult (don't know it from top of my head).

HTH

But let us step back and ask the question why do you need to create the users you sync manually first? The users in a specific OU will be synced anyways without you manually creating them in IPA.
So this is unclear why the whole thing is actually needed.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to