On 02/25/2015 09:53 AM, Petr Vobornik wrote:
On 02/25/2015 09:12 AM, Hugh wrote:
All,
We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS
6.5. We've set up synching between our IPA and AD and that seems to be
working. What we'd like to do now is allow admins when they're creating
users in IPA to be able to set those users up for synching to AD with
the web UI without having to drop to the command line or edit LDAP
directly. As you know, in order to synch from IPA->AD, you need to add
the ntuser objectclass and the ntUserDomainId and ntUserCreateNewAccount
attributes. However, those attributes/class are not in the web UI by
defauly and from what I can see, our version of ipa-server/DS does not
have support for web UI plugins. Is that true? Is there any way to be
able to set a user to be synched via the web UI?
Thanks,
Hugh
Hello Hugh,
it could be done in 3.0 by direct manipulation of
/usr/share/ipa/ui/user.js Doing that is ugly and breaks on rpm
upgrades. IIUC, the goal would be to simulate CLI (API)call:
$ ipa user-mod bbar --addattr='objectclass=ntuser'
--setattr='ntUserDomainId=foo'--setattr='ntUserDomainId=True'
Adding ntUserDomainId and ntUserDomainId is easy - it's just one
declaration in the list of fields. But adding the objectclass isn't,
Current pattern is that the object classes(which are not added by
default) are added in ipalib backend plugin if attribute is present in
the mod list for the first time for the object.
I would discourage to do that in Web UI. But in theory it can be done.
One has to add multivalued field named objectclass and then he can add
new ones and delete others. But this is bad UX. Better would be to add
the objecclass attr on demand on update but it requires direct
modification of update code which is more difficult (don't know it
from top of my head).
HTH
But let us step back and ask the question why do you need to create the
users you sync manually first?
The users in a specific OU will be synced anyways without you manually
creating them in IPA.
So this is unclear why the whole thing is actually needed.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
