Re: [Freeipa-users] [requirements gathering] Notification system / hooks
As an administrator I would like to get notified when anyone successfully/unsuccessfully authenticates to predefined services (n times). Van: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] Namens Anon Lister Verzonden: donderdag 10 maart 2016 17:20 Aan: Petr Spacek CC: freeipa-users Onderwerp: Re: [Freeipa-users] [requirements gathering] Notification system / hooks I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" mailto:pspa...@redhat.com>> wrote: Dear users, FreeIPA team is thinking about adding notification system (or 'hooks') to various parts of FreeIPA. If you happen to know about a use-case for hook or an event you want to react to please let us know. Example: - As admin, I want to call my custom script when a host is deleted. (E.g. to to do cleanup in our other internal systems.) - As user, I want to get a notification when ... Be creative and let us know as soon as you find the use-case. Thank you very much! BTW design page is on: http://www.freeipa.org/page/V4/Notification_system (but it is mostly empty at the moment). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
Well... I suppose that's problem #2. Problem #1 would be implementing the bidirectional authentication in the first place. :p On Mar 10, 2016 11:22 AM, "Petr Spacek" wrote: > On 10.3.2016 17:20, Anon Lister wrote: > > I would like an alert when my IPA servers successfully establish a > > bidirectional trust with mutual authentication with our AD server > > Actually I could even skip the alert ;) > > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > > Heh, I'm confused. How would you establish the trust without using admin's > credentials or pre-shared secret in the first place? > > I.e. how this could be done without admin's consent? > > Petr^2 Spacek > > >> Dear users, > >> > >> FreeIPA team is thinking about adding notification system (or 'hooks') > to > >> various parts of FreeIPA. > >> > >> If you happen to know about a use-case for hook or an event you want to > >> react > >> to please let us know. > >> > >> Example: > >> - As admin, I want to call my custom script when a host is deleted. > (E.g. > >> to > >> to do cleanup in our other internal systems.) > >> - As user, I want to get a notification when ... > >> > >> Be creative and let us know as soon as you find the use-case. > >> > >> Thank you very much! > >> > >> > >> BTW design page is on: > >> http://www.freeipa.org/page/V4/Notification_system > >> (but it is mostly empty at the moment). > >> > >> -- > >> Petr^2 Spacek > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
I would like an alert when my IPA servers successfully establish a bidirectional trust with mutual authentication with our AD server Actually I could even skip the alert ;) On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: > Dear users, > > FreeIPA team is thinking about adding notification system (or 'hooks') to > various parts of FreeIPA. > > If you happen to know about a use-case for hook or an event you want to > react > to please let us know. > > Example: > - As admin, I want to call my custom script when a host is deleted. (E.g. > to > to do cleanup in our other internal systems.) > - As user, I want to get a notification when ... > > Be creative and let us know as soon as you find the use-case. > > Thank you very much! > > > BTW design page is on: > http://www.freeipa.org/page/V4/Notification_system > (but it is mostly empty at the moment). > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
On 10.3.2016 17:20, Anon Lister wrote: > I would like an alert when my IPA servers successfully establish a > bidirectional trust with mutual authentication with our AD server > Actually I could even skip the alert ;) > On Mar 9, 2016 11:27 AM, "Petr Spacek" wrote: Heh, I'm confused. How would you establish the trust without using admin's credentials or pre-shared secret in the first place? I.e. how this could be done without admin's consent? Petr^2 Spacek >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
On 10.3.2016 05:06, Mike Kelly wrote: > As an admin, I want to get a notification when a user's password is rest, > or when they update their password, so that I can disable an user who does > not change their password a certain amount of time after it was reset. > > Basically, the goal is to have a way to implement a policy like "if we > reset your password, and you don't change it to a new one after 2 days, > we'll lock your account" so that, say, some old email with their password > in it is unlikely to be valid anymore. This sounds sensible, thank you. (re-posting to ipa-users) For the record and other interested parties: Please keep in mind that this is NOT intended as an audit mechanism. We already have audit in LDAP server and audit is explicitly out of scope of this work. This should provide hooks so vanilla IPA as shipped in packages can be easily integrated with third-party systems which are present all over the place. Jan Cholasta identified few object types which he thinks are interesting from the hook(s) perspective: user, group, host, hostgroup, service Current line of thinking was about adding hooks into IPA framework so we are not risking destabilizing or slowing down the DS. If we want to monitor generic LDAP we could use syncrepl to stay outside of DS. As far as I understood Honza this has interesting problems because the consumer of the notifications from LDAP would have to undestand the relations between IPA LDAP objects etc., which can be quite complicated. For this reason we were thinking about kind of limited approach where hooks are called when using CLI/WebUI/API but not when direct LDAP modifications are done. Would that work for you? Petr^2 Spacek > > On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek wrote: > >> Dear users, >> >> FreeIPA team is thinking about adding notification system (or 'hooks') to >> various parts of FreeIPA. >> >> If you happen to know about a use-case for hook or an event you want to >> react >> to please let us know. >> >> Example: >> - As admin, I want to call my custom script when a host is deleted. (E.g. >> to >> to do cleanup in our other internal systems.) >> - As user, I want to get a notification when ... >> >> Be creative and let us know as soon as you find the use-case. >> >> Thank you very much! >> >> >> BTW design page is on: >> http://www.freeipa.org/page/V4/Notification_system >> (but it is mostly empty at the moment). >> >> -- >> Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [requirements gathering] Notification system / hooks
As an admin, I want to get a notification when a user's password is rest, or when they update their password, so that I can disable an user who does not change their password a certain amount of time after it was reset. Basically, the goal is to have a way to implement a policy like "if we reset your password, and you don't change it to a new one after 2 days, we'll lock your account" so that, say, some old email with their password in it is unlikely to be valid anymore. On Wed, Mar 9, 2016 at 11:23 AM Petr Spacek wrote: > Dear users, > > FreeIPA team is thinking about adding notification system (or 'hooks') to > various parts of FreeIPA. > > If you happen to know about a use-case for hook or an event you want to > react > to please let us know. > > Example: > - As admin, I want to call my custom script when a host is deleted. (E.g. > to > to do cleanup in our other internal systems.) > - As user, I want to get a notification when ... > > Be creative and let us know as soon as you find the use-case. > > Thank you very much! > > > BTW design page is on: > http://www.freeipa.org/page/V4/Notification_system > (but it is mostly empty at the moment). > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Mike Kelly -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
