Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 04/04/2011 03:47 PM, Simo Sorce wrote: On Mon, 28 Mar 2011 15:27:46 -0700 Nathan Kindernkin...@redhat.com wrote: On 03/28/2011 03:20 PM, Dmitri Pal wrote: On 03/28/2011 04:38 PM, Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? You are probably thinking of the DNA plug-in and it's use of a magic value used to tell the plug-in to allocate a value from a range. I would not like to use this approach here, as it requires additional coding and complexity that I don't think is needed. I would prefer that we use the originFilter to deal with this. We could have an auxiliary objectclass that IPA usually adds when creating an IPA user. The originFilter can key off of this objectclass to create managed groups. When a user is added with the --noprivate option, this objectclass is not included in the user entry that is added. Rob and I discussed this approach on IRC earlier today. Ack, this sounds like a better approach, although it doesn't necessarily need to be an objectclass it can also be an attribute with a specific value that is checked in the filter as (!(attrib=value)) Simo. New patch with new approach attached. It sets the checked filter to: ((objectclass=posixAccount)(!(description=__no_upg__))) If a user entry is created with the description attribute equal to the string __no_upg__, the DS plugin will not trigger and no UPG is going to be created. After this patch, the user-add plugin adds this description attribute (NO_UPG_MAGIC = __no_upg__) in the pre_callback and deletes it in the post_callback if necessary. I think the description attribute is the best choice, because it's part of the posixAccount objectClass and we don't use it for anything on user entries. Pavel From 57f3b82bc4b3180a8b0a27733cc0632b813a7736 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Mon, 28 Mar 2011 15:10:57 -0400 Subject: [PATCH] Add a new user-add flag param to disable the creation of UPG. Ticket #1131 --- install/share/user_private_groups.ldif |2 +- ipalib/plugins/user.py | 53 --- 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif index 9df729a..41a78ba 100644 --- a/install/share/user_private_groups.ldif +++ b/install/share/user_private_groups.ldif @@ -15,7 +15,7 @@ changetype: add objectclass: extensibleObject cn: UPG Definition originScope: cn=users,cn=accounts,$SUFFIX -originFilter: objectclass=posixAccount +originFilter: ((objectclass=posixAccount)(!(description=__no_upg__))) managedBase: cn=groups,cn=accounts,$SUFFIX managedTemplate: cn=UPG Template,cn=etc,$SUFFIX diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 9015144..9a658a9 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -63,6 +63,9 @@ from ipalib import _, ngettext from ipalib.request import context from time import gmtime, strftime + +NO_UPG_MAGIC = '__no_upg__' + def validate_nsaccountlock(entry_attrs): if 'nsaccountlock' in entry_attrs: if not isinstance(entry_attrs['nsaccountlock'], basestring): @@ -70,6 +73,7 @@ def validate_nsaccountlock(entry_attrs): if entry_attrs['nsaccountlock'].lower() not in ('true','false'): raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE') + class user(LDAPObject): User object. @@ -250,22 +254,35 @@ class user_add(LDAPCreate): Add a new user. - msg_summary = _('Added user %(value)s') +takes_options = LDAPCreate.takes_args + ( +Flag('noprivate', +cli_name='noprivate', +doc=_('don\'t create user private group'), +), +) + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -try: -# The Managed Entries plugin will allow a user to be created -# even if a group has a duplicate name. This would leave a user -# without a private group. Check for both the group and the user. -self.api.Command['group_show'](keys[-1]) +if not
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On Mon, 28 Mar 2011 15:27:46 -0700 Nathan Kinder nkin...@redhat.com wrote: On 03/28/2011 03:20 PM, Dmitri Pal wrote: On 03/28/2011 04:38 PM, Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? You are probably thinking of the DNA plug-in and it's use of a magic value used to tell the plug-in to allocate a value from a range. I would not like to use this approach here, as it requires additional coding and complexity that I don't think is needed. I would prefer that we use the originFilter to deal with this. We could have an auxiliary objectclass that IPA usually adds when creating an IPA user. The originFilter can key off of this objectclass to create managed groups. When a user is added with the --noprivate option, this objectclass is not included in the user entry that is added. Rob and I discussed this approach on IRC earlier today. Ack, this sounds like a better approach, although it doesn't necessarily need to be an objectclass it can also be an attribute with a specific value that is checked in the filter as (!(attrib=value)) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 2011-03-28 23:05, Rob Crittenden wrote: Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob I thought about it, but changing the filter temporarily isn't an option since more user-add operations can be running at the same time and this entry is global. Maybe adding a special object class or temporary attribute to mark users to be created without UPG. Or creating the user without the posixAccount object class and attributes and adding them later using user-mod. This might be a bit faster than deleting the UPG. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
Pavel Zůna wrote: On 2011-03-28 23:05, Rob Crittenden wrote: Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. Ticket #1131 Pavel I wonder if you can modify the originFilter entry in the Managed Entry plugin and set something special so the user gets created w/o a group. The trick would be getting the filter right. Currently it is originFilter: objectclass=posixAccount I wonder if we could stuff something else in there that would cause it to evaluate false when we don't want a managed group. rob I thought about it, but changing the filter temporarily isn't an option since more user-add operations can be running at the same time and this entry is global. No, leave the filter alone but change it by default to something that is more flexible. Maybe adding a special object class or temporary attribute to mark users to be created without UPG. Right, we could create a sup objectclass to ipaUsers that has no attributes and use it like a flag. Not sure this is a great idea but we could even leave this to avoid the extra operations. Or creating the user without the posixAccount object class and attributes and adding them later using user-mod. This might be a bit faster than deleting the UPG. Yup, that would probably work too. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add a new user-add flag param to disable the creation of UPG.
On 03/28/2011 04:38 PM, Pavel Zůna wrote: This patch handles the issue in a kind of stupid way, but I couldn't think of anything better. It adds a new flag parameter to user-add (--noprivate). With this flag, the command marks the private group about to be created for deletion and is deleted after the user is created. The only exception is when there is a group, that is named the same way as the user, but isn't a private group - then the group is left there. Private groups are created automatically by the managed entry DS plugin and I didn't find a way to disable its creation for a specific user. The idea that comes to mind is to define some magical attribute that the DS plugin would recognize and skip the creation of the managed entry as well as strip the entry of this magic attribute/value. I remember that other plugins might take advantage of the similar approach. Is something like this possible? Ticket #1131 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel