Mateusz Małek wrote:
Hi everyone,

We're trying to adjust FreeIPA to our environment... quite a bit. Here
are some bullet points:

1. User home directory location is dependent on user primary group and
its value should be autogenerated on user creation.
2. User administrator should be able to select user account type (its
primary group) in some user-friendly way from pre-determined list of
possible choices - without the need to remember GID number associated
with each account type.
3. Passwords need to be generated automatically, so user administrator
won't be required to invent them for every single user. It should appear
on-screen after user account creation.

The ability is there on the CLI (don't know if it is exposed in UI):

$ ipa user-add --first=random --last=user ruser --random
Added user "ruser"
  User login: ruser
  First name: random
  Random password: Gu8VpULbb9xv


4. If username was not provided, it should also be generated using some
pre-determined method. It also should be shown after creating new user.
5. Some user accounts have an expiration date and need to be renewed
every year. User administrator should be able to extend user account
validity with single mouse-click in Web UI (with additional click for
confirmation prompt, probably).
6. Many user account attributes are not in use in our environment - they
should be hidden in Web UI to avoid confusion (for example job title in
search view).

And probably the most important thing: *all these things have to been
done without modifying files installed from RPM package* - we are using
ipa-server from CentOS 7 repositories and we don't want things to break
on update.

Point 1 was easy one - we used additional script in ipalib/plugins and
user_add.register_pre_callback to hook into user account creation
process. We also use this hook to assign gidNumber based on "User class"
specified in account creation form in Web UI (point 2).
Unfortunately, I have trouble with point 4 - uid attribute is specified
in takes_params with default_from=lambda givenname, sn: givenname[0] +
sn and when hook gets called, entry is already filled with this default
value. How can I override this behavior? Is it at least possible to
distinguish (in hook code) between value generated using default_from
and value manually typed into account creation form? (It seems that
default value is also checked for duplicates before calling hook - this
still needs to be overriden, as it will prevent our usernames generator
from even getting called.)

For points 3, 5, 6 and to limit available choices in 2, we need to plug
into Web UI. Samples at
provided us with some basic info how to write plugins. I've copied
pre-minified freeipa/user.js file and turned it into a plugin.
However, I face some issues when I register my module under different
entity name instead of overriding user (I want to keep original user
module available) - reg.entity.register({type: 'new-user', spec:
exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command
'user_find' takes at most 1 argument".
It seems that check if (that.entity !== that.managed_entity) in
freeipa/search.js fails (condition is true), which causes
managed_entity_pkey_prefix function to return [""] instead of [] -
object inspection shows both entity and managed_entity refer to user
entity, but probably these are two different JS objects (and thats why
they are considered different). Am I doing something wrong or is it some

Best regards
Mateusz Małek

Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology, Kraków, Poland

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to