Hi everyone,

We're trying to adjust FreeIPA to our environment... quite a bit. Here are some bullet points:


1. User home directory location is dependent on user primary group and its value should be autogenerated on user creation. 2. User administrator should be able to select user account type (its primary group) in some user-friendly way from pre-determined list of possible choices - without the need to remember GID number associated with each account type. 3. Passwords need to be generated automatically, so user administrator won't be required to invent them for every single user. It should appear on-screen after user account creation. 4. If username was not provided, it should also be generated using some pre-determined method. It also should be shown after creating new user. 5. Some user accounts have an expiration date and need to be renewed every year. User administrator should be able to extend user account validity with single mouse-click in Web UI (with additional click for confirmation prompt, probably). 6. Many user account attributes are not in use in our environment - they should be hidden in Web UI to avoid confusion (for example job title in search view).

And probably the most important thing: *all these things have to been done without modifying files installed from RPM package* - we are using ipa-server from CentOS 7 repositories and we don't want things to break on update.

Point 1 was easy one - we used additional script in ipalib/plugins and user_add.register_pre_callback to hook into user account creation process. We also use this hook to assign gidNumber based on "User class" specified in account creation form in Web UI (point 2). Unfortunately, I have trouble with point 4 - uid attribute is specified in takes_params with default_from=lambda givenname, sn: givenname[0] + sn and when hook gets called, entry is already filled with this default value. How can I override this behavior? Is it at least possible to distinguish (in hook code) between value generated using default_from and value manually typed into account creation form? (It seems that default value is also checked for duplicates before calling hook - this still needs to be overriden, as it will prevent our usernames generator from even getting called.)

For points 3, 5, 6 and to limit available choices in 2, we need to plug into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/ provided us with some basic info how to write plugins. I've copied pre-minified freeipa/user.js file and turned it into a plugin. However, I face some issues when I register my module under different entity name instead of overriding user (I want to keep original user module available) - reg.entity.register({type: 'new-user', spec: exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command 'user_find' takes at most 1 argument". It seems that check if (that.entity !== that.managed_entity) in freeipa/search.js fails (condition is true), which causes managed_entity_pkey_prefix function to return [""] instead of [] - object inspection shows both entity and managed_entity refer to user entity, but probably these are two different JS objects (and thats why they are considered different). Am I doing something wrong or is it some bug?

Best regards
Mateusz Małek

Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology, Kraków, Poland

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to