Re: [Freeipa-users] Add user -> custom script
On 09/19/2011 03:42 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On Fri, September 16, 2011 23:18, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo "a:$1 u:$2">> /tmp/ipa_custom_$$ env>> /tmp/ipa_custom_$$ The ipautil.run invocation should be: ipautil.run([self.api.env.ipa_user_script,"add", dn]) In other words, the whole thing needs to be in the list. Note that a cleaner way of adding this without having to modify ipa-provided files would be to write an extension plugin that does this (untested): from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) Stick that into a file and drop it into the directory with the other plugins and restart Apache and that should do it. rob I reverted the patched user.py file back to tbe unpatched user.py file. I called the script you provided custom.py, and I've tried copying it to /usr/lib/python2.7/site-packages/ipalib/plugins and /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the script is not called anymore. Should the script be put anywhere else? Anything I didnt do? It needs to be in ipalib/plugins. Add: from ipapython import ipautil Works perfectly! Thanks! :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
Sigbjorn Lie wrote: On Fri, September 16, 2011 23:18, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo "a:$1 u:$2">> /tmp/ipa_custom_$$ env>> /tmp/ipa_custom_$$ The ipautil.run invocation should be: ipautil.run([self.api.env.ipa_user_script,"add", dn]) In other words, the whole thing needs to be in the list. Note that a cleaner way of adding this without having to modify ipa-provided files would be to write an extension plugin that does this (untested): from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) Stick that into a file and drop it into the directory with the other plugins and restart Apache and that should do it. rob I reverted the patched user.py file back to tbe unpatched user.py file. I called the script you provided custom.py, and I've tried copying it to /usr/lib/python2.7/site-packages/ipalib/plugins and /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the script is not called anymore. Should the script be put anywhere else? Anything I didnt do? It needs to be in ipalib/plugins. Add: from ipapython import ipautil rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, September 16, 2011 23:18, Rob Crittenden wrote: > Sigbjorn Lie wrote: > >> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: >> >>> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > On 09/15/2011 09:59 PM, Dmitri Pal wrote: > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> Is there a custom script hook for when a user account is added using >>> either the cli, webui, or the winsync module? >>> >>> I have a custom script I run when creating a user account, and having >>> this run automatically by IPA would make my life a lot easier. >>> >>> >> Can you describe what kind of operations you need to do? >> Have you looked at the automembership plugin? >> >> > I'm doing a SSH login on to a filer, creating a home folder ZFS > dataset for the new user, setting quota and ACL on the newly created > dataset, and adding > files from a skeleton folder into the home folder. > It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. >>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >>> has following setting: >>> >>> ipa_user_script=/path/to/script >>> >>> then during add/delete/modify of an user, it will be called with >>> add/del/mod as first >>> parameter and user's dn as second. Result of the call is ignored but return >>> from IPA server is >>> blocked by the execution so be quick in ipa_user_script! >>> >> >> I got the patch installed OK, env variable set, and the script is being >> run when do user modifications. Great! :) But the action (add/del/mod) and >> the dn is not being >> supplied as arguments. >> >> For testing's sake I've made a very simple script just to capture the >> env variables. >> >> Do you have any suggestion to why the arguments is not getting supplied >> to the script? >> >> >> #!/bin/bash >> >> >> echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ env >> /tmp/ipa_custom_$$ > > The ipautil.run invocation should be: > > > ipautil.run([self.api.env.ipa_user_script,"add", dn]) > > In other words, the whole thing needs to be in the list. > > > Note that a cleaner way of adding this without having to modify > ipa-provided files would be to write an extension plugin that does this > (untested): > > > from ipalib.plugins.user import user_add > > def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): > inst.log.info('User > added') if 'ipa_user_script' in inst.api.env: try: > ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: > pass > > return dn > > user_add.register_post_callback(script_post_add_callback) > > Stick that into a file and drop it into the directory with the other > plugins and restart Apache and that should do it. > > rob > I reverted the patched user.py file back to tbe unpatched user.py file. I called the script you provided custom.py, and I've tried copying it to /usr/lib/python2.7/site-packages/ipalib/plugins and /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the script is not called anymore. Should the script be put anywhere else? Anything I didnt do? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, 16 Sep 2011, Rob Crittenden wrote: > >>Attached untested patch is a proof of concept. If /etc/ipa/server.conf > >>has following setting: > >> > >>ipa_user_script=/path/to/script > >> > >>then during add/delete/modify of an user, it will be called with > >>add/del/mod as first parameter and user's dn as second. Result of > >>the call is ignored but return from IPA server is blocked by the > >>execution so be quick in ipa_user_script! > >> > > > >I got the patch installed OK, env variable set, and the script is being > >run when do user modifications. Great! :) But the action (add/del/mod) > >and the dn is not being supplied as arguments. As I said, it is untested and I indeed made wrong arguments passing. > The ipautil.run invocation should be: > > ipautil.run([self.api.env.ipa_user_script,"add", dn]) Exactly. Fixed patch attached. > In other words, the whole thing needs to be in the list. > > Note that a cleaner way of adding this without having to modify > ipa-provided files would be to write an extension plugin that does > this (untested): > > from ipalib.plugins.user import user_add > > def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): > inst.log.info('User added') > if 'ipa_user_script' in inst.api.env: > try: > ipautil.run([inst.api.env.ipa_user_script,"add", dn]) > except: > pass > > return dn > > user_add.register_post_callback(script_post_add_callback) > > Stick that into a file and drop it into the directory with the other > plugins and restart Apache and that should do it. That would be even better as it is clearly separated from stock FreeIPA install. -- / Alexander Bokovoy diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d..b8631e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython import ipautil __doc__ = _(""" Users @@ -413,6 +414,12 @@ class user_add(LDAPCreate): entry_from_entry(entry_attrs, newentry) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run([self.api.env.ipa_user_script, "add", dn]) +except: +pass return dn api.register(user_add) @@ -424,6 +431,12 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') def post_callback(self, ldap, dn, *keys, **options): +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run([self.api.env.ipa_user_script, "del", dn]) +except: +pass return True api.register(user_del) @@ -446,6 +459,12 @@ class user_mod(LDAPUpdate): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run([self.api.env.ipa_user_script, "mod", dn]) +except: +pass return dn api.register(user_mod) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
Sigbjorn Lie wrote: On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ env >> /tmp/ipa_custom_$$ The ipautil.run invocation should be: ipautil.run([self.api.env.ipa_user_script,"add", dn]) In other words, the whole thing needs to be in the list. Note that a cleaner way of adding this without having to modify ipa-provided files would be to write an extension plugin that does this (untested): from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) Stick that into a file and drop it into the directory with the other plugins and restart Apache and that should do it. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ env >> /tmp/ipa_custom_$$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 05:59 PM, Dmitri Pal wrote: On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is "zfs create ...". There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi What we need to do is to have a way from the DS plugin to send notification messages about record operation and then let services to subscribe and consume notifications and do whatever they need in an async way. It might make sense to have an option QPID broker for that. I will talk to qpid guys. Sounds even better! Much more secure! Thanks! :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 05:43 PM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Sigbjorn Lie wrote: We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! Excellent, thank you! I will try this!! Make sure you read what Simo wrote about deficiencies of this solution and in part that it runs under apache privileges. As you need to trigger action on a different host, it might be enough but still poses possible privilege escalation in your environment. I sure do agree to that. :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: > On 09/16/2011 07:35 AM, Dmitri Pal wrote: >> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > Hi, > > Is there a custom script hook for when a user account is added using > either the cli, webui, or the winsync module? > > I have a custom script I run when creating a user account, and having > this run automatically by IPA would make my life a lot easier. > > Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? >>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>> dataset for the new user, setting quota and ACL on the newly created >>> dataset, and adding files from a skeleton folder into the home folder. >>> >> It might be a stupid question but... you seem to do all the operation >> described above on the filer. I am not quite clear what part of it, if >> any, needs to be run on the server side, I mean on the IPA. Or you >> actually want to be able to create an account on the server side and >> make it trapped and send the event to the filer and run a script there? >> >> We can't do it now. AFAIR there was a ticket about something like this >> in the deferred bucket... Could not find it... But I remember a >> discussion. >> We might need to file a ticket to track this but sound like something >> that will take a lot of time to accomplish. >> > > > The filer get it's user account data from the IPA server. The commands > I'm running on the filer is to create a personal dataset (filesystem) > for the newly created user account, as well as setting the correct ACL > for the filesystem. The filer is a ZFS based filer, and the command > being used is "zfs create ...". There is no remote API for this command. > > However I feel like you have misinterpreted the request. It does not > matter to IPA what I'm trying to accomplish with my script. I require > a script to be run after a user account has been created (or deleted, > or perhaps deleted). > > There are plenty of environments where custom scripts is required to > run after a new user account is created. In a typical Microsoft AD > environments this is often accomplished with additional > expensive-to-buy-and-complicated-to-set-up Identify Management suites, > so after a user account is created, additional accounts is created in > systems such as SAP, Incident Management tool, or any other company > specific databases or applications. > > In the UNIX/Linux environments I've seen, any post-user-creation tasks > is accomplished with a script, run by the user management tool after > the account has been created. > > Hence my request for the option to run a post-user-creation script. :) > > > > Regards, > Siggi > What we need to do is to have a way from the DS plugin to send notification messages about record operation and then let services to subscribe and consume notifications and do whatever they need in an async way. It might make sense to have an option QPID broker for that. I will talk to qpid guys. > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 02:45 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit. At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up. Having the variable for what script to run in the LDAP would sure be nice. Just modify Alex's script to read from LDAP instead. Job done. :) Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 01:53 PM, Simo Sorce wrote: On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel I manage my environment with CFengine, so distributing a few patches and files does not bother me. :) Actually, in my specific case the script does not have to do more than write the username(s) to a file, and CFengine can pick up the file and do the rest of the job for me. No root access required for the apache server. :) Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, 16 Sep 2011, Sigbjorn Lie wrote: > >>We can't do it now. AFAIR there was a ticket about something like this > >>in the deferred bucket... Could not find it... But I remember a discussion. > >>We might need to file a ticket to track this but sound like something > >>that will take a lot of time to accomplish. > >Attached untested patch is a proof of concept. If /etc/ipa/server.conf > >has following setting: > > > >ipa_user_script=/path/to/script > > > >then during add/delete/modify of an user, it will be called with > >add/del/mod as first parameter and user's dn as second. Result of > >the call is ignored but return from IPA server is blocked by the > >execution so be quick in ipa_user_script! > > Excellent, thank you! I will try this!! Make sure you read what Simo wrote about deficiencies of this solution and in part that it runs under apache privileges. As you need to trigger action on a different host, it might be enough but still poses possible privilege escalation in your environment. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! Excellent, thank you! I will try this!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is "zfs create ...". There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit. At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, 16 Sep 2011, Simo Sorce wrote: > As a proof of concept sounds nice, but as is this would be bad, as > changes to /etc/ipa/server.conf are not replicated through all masters. > So a change on one server would require manual synchronization to all > others or users create from one server will trigger something while > users create through another will trigger something else. > > Also the issue is that this script is run as the apache user so you'd > have to give that user access as root (passwordless private ssh key ? > brrr). > For things like this I think we should provide a more sophisticated > mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Dmitri Pal wrote: > > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > > > On 09/15/2011 09:59 PM, Dmitri Pal wrote: > > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > > >>> Hi, > > >>> > > >>> Is there a custom script hook for when a user account is added using > > >>> either the cli, webui, or the winsync module? > > >>> > > >>> I have a custom script I run when creating a user account, and having > > >>> this run automatically by IPA would make my life a lot easier. > > >>> > > >>> > > >> Can you describe what kind of operations you need to do? > > >> Have you looked at the automembership plugin? > > >> > > > > > > I'm doing a SSH login on to a filer, creating a home folder ZFS > > > dataset for the new user, setting quota and ACL on the newly created > > > dataset, and adding files from a skeleton folder into the home folder. > > > > > > > It might be a stupid question but... you seem to do all the operation > > described above on the filer. I am not quite clear what part of it, if > > any, needs to be run on the server side, I mean on the IPA. Or you > > actually want to be able to create an account on the server side and > > make it trapped and send the event to the filer and run a script there? > > > > We can't do it now. AFAIR there was a ticket about something like this > > in the deferred bucket... Could not find it... But I remember a discussion. > > We might need to file a ticket to track this but sound like something > > that will take a lot of time to accomplish. > Attached untested patch is a proof of concept. If /etc/ipa/server.conf > has following setting: > > ipa_user_script=/path/to/script > > then during add/delete/modify of an user, it will be called with > add/del/mod as first parameter and user's dn as second. Result of > the call is ignored but return from IPA server is blocked by the > execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On Fri, 16 Sep 2011, Dmitri Pal wrote: > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > > On 09/15/2011 09:59 PM, Dmitri Pal wrote: > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > >>> Hi, > >>> > >>> Is there a custom script hook for when a user account is added using > >>> either the cli, webui, or the winsync module? > >>> > >>> I have a custom script I run when creating a user account, and having > >>> this run automatically by IPA would make my life a lot easier. > >>> > >>> > >> Can you describe what kind of operations you need to do? > >> Have you looked at the automembership plugin? > >> > > > > I'm doing a SSH login on to a filer, creating a home folder ZFS > > dataset for the new user, setting quota and ACL on the newly created > > dataset, and adding files from a skeleton folder into the home folder. > > > > It might be a stupid question but... you seem to do all the operation > described above on the filer. I am not quite clear what part of it, if > any, needs to be run on the server side, I mean on the IPA. Or you > actually want to be able to create an account on the server side and > make it trapped and send the event to the filer and run a script there? > > We can't do it now. AFAIR there was a ticket about something like this > in the deferred bucket... Could not find it... But I remember a discussion. > We might need to file a ticket to track this but sound like something > that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! -- / Alexander Bokovoy diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d..b8631e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython import ipautil __doc__ = _(""" Users @@ -413,6 +414,12 @@ class user_add(LDAPCreate): entry_from_entry(entry_attrs, newentry) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,["add", dn]) +except: +pass return dn api.register(user_add) @@ -424,6 +431,12 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') def post_callback(self, ldap, dn, *keys, **options): +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,["del", dn]) +except: +pass return True api.register(user_del) @@ -446,6 +459,12 @@ class user_mod(LDAPUpdate): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) +# If there is a ipa_user_script set in configuration, call it out +if 'ipa_user_script' in self.api.env: +try: +ipautil.run(self.api.env.ipa_user_script,["mod", dn]) +except: +pass return dn api.register(user_mod) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > On 09/15/2011 09:59 PM, Dmitri Pal wrote: >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>> Hi, >>> >>> Is there a custom script hook for when a user account is added using >>> either the cli, webui, or the winsync module? >>> >>> I have a custom script I run when creating a user account, and having >>> this run automatically by IPA would make my life a lot easier. >>> >>> >> Can you describe what kind of operations you need to do? >> Have you looked at the automembership plugin? >> > > I'm doing a SSH login on to a filer, creating a home folder ZFS > dataset for the new user, setting quota and ACL on the newly created > dataset, and adding files from a skeleton folder into the home folder. > It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user -> custom script
On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > Hi, > > Is there a custom script hook for when a user account is added using > either the cli, webui, or the winsync module? > > I have a custom script I run when creating a user account, and having > this run automatically by IPA would make my life a lot easier. > > Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? > > Regards, > Siggi > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Add user -> custom script
Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users