Re: [Freeipa-devel] FreeIPA Auto Membership CLI
On Jun 2, 2011, at 12:59 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 06/02/2011 11:39 AM, JR Aquino wrote: >>> I need feed back from the group regarding how we should present the output >>> for Clarity, the 389 Directory Server Auto Membership Plugin... >>> >>> Currently, the output looks like this: >>> >>> ---=== EXAMPLE ===--- >>> [root@auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, >>> >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, >>> >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com >>> Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist >>> www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---=== EXAMPLE ===--- >>> >>> Each rule in the definition object is broken down into 3 distinct parts: >>> Group to modify, Description, Attribute + Regular Expression to match. >>> >>> As time progresses it will be likely that these rules could get long and >>> visually unappealing. I would like to know how we might better represent >>> this info. >>> >>> Perhaps a breakout with indentation for each unique group defined in each >>> rule? >>> >>> ---===SUGGESTION===--- >>> [root@auth2 ~]# ipa clarityrule-show testrule --all >>> dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>> Clarity Rule: testrule >>> Membership filter: objectclass=ipaHost >>> Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>> Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> FrontEnd: fqdn=^web[1-9]+.example.com, >>> MainSite: fqdn=^www[1-9]+.example.com >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> SMTP: fqdn=^mail[1-9]+.example.com, >>> Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> blacklist: www5:fqdn=^www5\.example\.com >>> automembergroupingattr: member:dn >>> automemberscope: dc=expertcity,dc=com >>> objectclass: top, automemberdefinition >>> ---===SUGGESTION===--- >>> >> >> This presentation assumes that the description is not empty. >> In general case it is not true so I would suggest fixed labels even if >> the values would have duplicates. >> >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^web[1-9]+.example.com >> - >> Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^mail[1-9]+.example.com >> - >> Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >> Description: >> Regex: fqdn=^www[1-9]+.example.com >> - >> >> Keep the indent that you proposed, it looks OK with the indent. > > Just note that the code that does the rendering is extremely simplistic so > control over indention may require a fair bit of work. I think indention is > handled via nesting, so returning data as lists of lists may do the trick. Excellent! That is really good to know! I was worried I'd have to override output_for_cli() I'll repost once I have the suggested layout implemented. Thanks guys! > > That or you are going to have to override output_for_cli() and do all the > output manually but that should be a last resort. > > rob > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA Auto Membership CLI
On 06/02/2011 03:59 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 06/02/2011 11:39 AM, JR Aquino wrote: >>> I need feed back from the group regarding how we should present the >>> output for Clarity, the 389 Directory Server Auto Membership Plugin... >>> >>> Currently, the output looks like this: >>> >>> ---=== EXAMPLE ===--- >>> [root@auth2 ~]# ipa clarityrule-show testrule --all >>>dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>>Clarity Rule: testrule >>>Membership filter: objectclass=ipaHost >>>Default Group: >>> cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>>Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, >>> >>> >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com >>>Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist >>> www5:fqdn=^www5\.example\.com >>>automembergroupingattr: member:dn >>>automemberscope: dc=expertcity,dc=com >>>objectclass: top, automemberdefinition >>> ---=== EXAMPLE ===--- >>> >>> Each rule in the definition object is broken down into 3 distinct >>> parts: Group to modify, Description, Attribute + Regular Expression >>> to match. >>> >>> As time progresses it will be likely that these rules could get long >>> and visually unappealing. I would like to know how we might better >>> represent this info. >>> >>> Perhaps a breakout with indentation for each unique group defined in >>> each rule? >>> >>> ---===SUGGESTION===--- >>> [root@auth2 ~]# ipa clarityrule-show testrule --all >>>dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com >>>Clarity Rule: testrule >>>Membership filter: objectclass=ipaHost >>>Default Group: >>> cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com >>>Inclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> FrontEnd: fqdn=^web[1-9]+.example.com, >>> MainSite: fqdn=^www[1-9]+.example.com >>> cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> SMTP: fqdn=^mail[1-9]+.example.com, >>>Exclusive Regex: >>> cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>> blacklist: www5:fqdn=^www5\.example\.com >>>automembergroupingattr: member:dn >>>automemberscope: dc=expertcity,dc=com >>>objectclass: top, automemberdefinition >>> ---===SUGGESTION===--- >>> >> >> This presentation assumes that the description is not empty. >> In general case it is not true so I would suggest fixed labels even if >> the values would have duplicates. >> >>Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>Description: >>Regex: fqdn=^web[1-9]+.example.com >>- >>Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>Description: >>Regex: fqdn=^mail[1-9]+.example.com >>- >>Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com >>Description: >>Regex: fqdn=^www[1-9]+.example.com >>- >> >> Keep the indent that you proposed, it looks OK with the indent. > > Just note that the code that does the rendering is extremely > simplistic so control over indention may require a fair bit of work. I > think indention is handled via nesting, so returning data as lists of > lists may do the trick. > > That or you are going to have to override output_for_cli() and do all > the output manually but that should be a last resort. Yeah, please do not make it more complex than needed. Creating a nested list and letting it render is probably the right approach. > > rob > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA Auto Membership CLI
Dmitri Pal wrote: On 06/02/2011 11:39 AM, JR Aquino wrote: I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... Currently, the output looks like this: ---=== EXAMPLE ===--- [root@auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---=== EXAMPLE ===--- Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. Perhaps a breakout with indentation for each unique group defined in each rule? ---===SUGGESTION===--- [root@auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com FrontEnd: fqdn=^web[1-9]+.example.com, MainSite: fqdn=^www[1-9]+.example.com cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com SMTP: fqdn=^mail[1-9]+.example.com, Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com blacklist: www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---===SUGGESTION===--- This presentation assumes that the description is not empty. In general case it is not true so I would suggest fixed labels even if the values would have duplicates. Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^web[1-9]+.example.com - Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^mail[1-9]+.example.com - Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^www[1-9]+.example.com - Keep the indent that you proposed, it looks OK with the indent. Just note that the code that does the rendering is extremely simplistic so control over indention may require a fair bit of work. I think indention is handled via nesting, so returning data as lists of lists may do the trick. That or you are going to have to override output_for_cli() and do all the output manually but that should be a last resort. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA Auto Membership CLI
On 06/02/2011 11:39 AM, JR Aquino wrote: > I need feed back from the group regarding how we should present the output > for Clarity, the 389 Directory Server Auto Membership Plugin... > > Currently, the output looks like this: > > ---=== EXAMPLE ===--- > [root@auth2 ~]# ipa clarityrule-show testrule --all > dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com > Clarity Rule: testrule > Membership filter: objectclass=ipaHost > Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com > Inclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, > > cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, > > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com > Exclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist > www5:fqdn=^www5\.example\.com > automembergroupingattr: member:dn > automemberscope: dc=expertcity,dc=com > objectclass: top, automemberdefinition > ---=== EXAMPLE ===--- > > Each rule in the definition object is broken down into 3 distinct parts: > Group to modify, Description, Attribute + Regular Expression to match. > > As time progresses it will be likely that these rules could get long and > visually unappealing. I would like to know how we might better represent > this info. > > Perhaps a breakout with indentation for each unique group defined in each > rule? > > ---===SUGGESTION===--- > [root@auth2 ~]# ipa clarityrule-show testrule --all > dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com > Clarity Rule: testrule > Membership filter: objectclass=ipaHost > Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com > Inclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > FrontEnd: fqdn=^web[1-9]+.example.com, > MainSite: fqdn=^www[1-9]+.example.com > cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com > SMTP: fqdn=^mail[1-9]+.example.com, > Exclusive Regex: > cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com > blacklist: www5:fqdn=^www5\.example\.com > automembergroupingattr: member:dn > automemberscope: dc=expertcity,dc=com > objectclass: top, automemberdefinition > ---===SUGGESTION===--- > This presentation assumes that the description is not empty. In general case it is not true so I would suggest fixed labels even if the values would have duplicates. Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^web[1-9]+.example.com - Group: cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^mail[1-9]+.example.com - Group: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com Description: Regex: fqdn=^www[1-9]+.example.com - Keep the indent that you proposed, it looks OK with the indent. > Using these rules, the Auto Membership Plugin monitors for insertions into > the LDAP directory matching the Membership Filter; In this example, > objectclass=ipaHost > > The object matching the filter is then compared against the exclusive rules > to make sure there is not a marker which indicates the object should NOT be a > member of a given group. > > Then the object is compared against the inclusive rules to determine if there > is a match. > If there is a match, the object is added to the group defined in the matching > rule. > If all rules are exhausted, the object is optionally added to the group > defined by the Default Group attribute of the Definition. > > You can view the design document here for more details on the how the rules > are represented within the raw directory. > http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > > ~ > Jr Aquino, GCIH | Information Security Specialist > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > jr.aqu...@citrixonline.com > http://www.citrixonline.com > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA Auto Membership CLI
I need feed back from the group regarding how we should present the output for Clarity, the 389 Directory Server Auto Membership Plugin... Currently, the output looks like this: ---=== EXAMPLE ===--- [root@auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^web[1-9]+.example.com, cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^mail[1-9]+.example.com, cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com::fqdn=^www[1-9]+.example.com Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com:blacklist www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---=== EXAMPLE ===--- Each rule in the definition object is broken down into 3 distinct parts: Group to modify, Description, Attribute + Regular Expression to match. As time progresses it will be likely that these rules could get long and visually unappealing. I would like to know how we might better represent this info. Perhaps a breakout with indentation for each unique group defined in each rule? ---===SUGGESTION===--- [root@auth2 ~]# ipa clarityrule-show testrule --all dn: cn=testrule,cn=automember,cn=etc,dc=expertcity,dc=com Clarity Rule: testrule Membership filter: objectclass=ipaHost Default Group: cn=orphans,cn=hostgroups,cn=accounts,dc=expertcity,dc=com Inclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com FrontEnd: fqdn=^web[1-9]+.example.com, MainSite: fqdn=^www[1-9]+.example.com cn=mailservers,cn=hostgroups,cn=accounts,dc=example,dc=com SMTP: fqdn=^mail[1-9]+.example.com, Exclusive Regex: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com blacklist: www5:fqdn=^www5\.example\.com automembergroupingattr: member:dn automemberscope: dc=expertcity,dc=com objectclass: top, automemberdefinition ---===SUGGESTION===--- Using these rules, the Auto Membership Plugin monitors for insertions into the LDAP directory matching the Membership Filter; In this example, objectclass=ipaHost The object matching the filter is then compared against the exclusive rules to make sure there is not a marker which indicates the object should NOT be a member of a given group. Then the object is compared against the inclusive rules to determine if there is a match. If there is a match, the object is added to the group defined in the matching rule. If all rules are exhausted, the object is optionally added to the group defined by the Default Group attribute of the Definition. You can view the design document here for more details on the how the rules are represented within the raw directory. http://directory.fedoraproject.org/wiki/Auto_Membership_Design ~ Jr Aquino, GCIH | Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aqu...@citrixonline.com http://www.citrixonline.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
