Open tiran opened 4 years ago
This is how automember can automatically add users to a group based on agreement:
# ipa automember-show --type group fasgroup
Automember Rule: fasgroup
Inclusive Regex: memberof=^cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example$
# ipa fasagreement-show fasgroupagreement --all
dn: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
Agreement name: fasgroupagreement
Member groups: fasgroup
memberuser_user: admin
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
Member users: admin
# ipa fasagreement-add-user fasgroupagreement --users=fasuser1
Agreement name: fasgroupagreement
Member groups: fasgroup
-------------------------
Number of members added 1
-------------------------
# ipa fasagreement-show fasgroupagreement --all
dn: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
Agreement name: fasgroupagreement
Member groups: fasgroup
memberuser_user: admin, fasuser1
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
Member users: fasuser1, admin
auto-removal does not yet work for me. I think it's caused by the fact that the user is an indirect member of the agreement.
From IRC:
<Crys> mreynolds: so autoremoval does not work for me, BUT it might be my fault.
<Crys> mreynolds: I have three objects: user, group, and fasagreement. The agreement has member -> group and memberUser -> user. I want users to join the group when they consent to a fasagreement and get removed when they withdraw consent.
<Crys> mreynolds: but when a user U is member of group G, then the user is also an indirect member of agreement A.
<Crys> dn: uid=fasuser1,cn=users,cn=accounts,dc=fas,dc=example
<Crys> memberof: cn=fasgroup,cn=groups,cn=accounts,dc=fas,dc=example
<Crys> memberof: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
<Crys> after I remove the user from the agreement:
<Crys> memberof: cn=fasgroup,cn=groups,cn=accounts,dc=fas,dc=example
<Crys> memberofindirect: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
<Crys> autoMemberInclusiveRegex: memberof=^cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example$
Automember removal works with other attributes, but I have to create an 'automember rebuild membership' task to make 389-DS remove group membership:
# ipa automember-show --type group fasgroup
Automember Rule: fasgroup
Inclusive Regex: userclass=fasgroup
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
# ipa user-mod fasuser1 --class=fasgroup
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
Member users: fasuser1
# ipa user-mod fasuser1 --class=
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
Member users: fasuser1
# ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (4) entries.
--------------------------------------------------------
# ipa group-show fasgroup
Group name: fasgroup
GID: 1032200005
389-ds-base-1.4.2.13-1.fc31.x86_64
freeipa-server-4.8.6-1.fc31.x86_64
As of today, we don't want users to auto-join groups that require an agreement, because most groups will and we don't want users agreeing to the FCPA to join most groups. The groups removal feature may be of interest though :-)
I realize I misunderstood the feature in the previous comment. We do want users who sign agreement A to join a specific group such as signed_A
, for example. This way we can forward the information to apps that use ipsilon and SSSD to log users in, and we can limit access to hosts based on agreement signing.
If I understand correctly this feature is blocked by https://pagure.io/freeipa/issue/8527
IPA has an automember feature that can add users to group based on rules. It might work for FAS user agreements, too. It may even be possible to automatically remove users from a group when they retract an agreement.