Investigate automember rules to automatically add users to group when they consent to a FAS user agreement

[tiran]

IPA has an automember feature that can add users to group based on rules. It might work for FAS user agreements, too. It may even be possible to automatically remove users from a group when they retract an agreement.

[tiran]

This is how automember can automatically add users to a group based on agreement:

# ipa automember-show --type group fasgroup
  Automember Rule: fasgroup
  Inclusive Regex: memberof=^cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example$
# ipa fasagreement-show fasgroupagreement --all
  dn: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
  Agreement name: fasgroupagreement
  Member groups: fasgroup
  memberuser_user: admin
# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005
  Member users: admin

# ipa fasagreement-add-user fasgroupagreement --users=fasuser1
  Agreement name: fasgroupagreement
  Member groups: fasgroup
-------------------------
Number of members added 1
-------------------------
# ipa fasagreement-show fasgroupagreement --all
  dn: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
  Agreement name: fasgroupagreement
  Member groups: fasgroup
  memberuser_user: admin, fasuser1
# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005
  Member users: fasuser1, admin

auto-removal does not yet work for me. I think it's caused by the fact that the user is an indirect member of the agreement.

From IRC:

<Crys> mreynolds: so autoremoval does not work for me, BUT it might be my fault.
<Crys> mreynolds: I have three objects: user, group, and fasagreement. The agreement has member -> group and memberUser -> user. I want users to join the group when they consent to a fasagreement and get removed when they withdraw consent.
<Crys> mreynolds: but when a user U is member of group G, then the user is also an indirect member of agreement A.
<Crys>   dn: uid=fasuser1,cn=users,cn=accounts,dc=fas,dc=example
<Crys>   memberof: cn=fasgroup,cn=groups,cn=accounts,dc=fas,dc=example
<Crys>   memberof: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
<Crys> after I remove the user from the agreement:
<Crys>   memberof: cn=fasgroup,cn=groups,cn=accounts,dc=fas,dc=example
<Crys>   memberofindirect: cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example
<Crys> autoMemberInclusiveRegex: memberof=^cn=fasgroupagreement,cn=fasagreements,dc=fas,dc=example$

[tiran]

Automember removal works with other attributes, but I have to create an 'automember rebuild membership' task to make 389-DS remove group membership:

# ipa automember-show --type group fasgroup
  Automember Rule: fasgroup
  Inclusive Regex: userclass=fasgroup

# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005
# ipa user-mod fasuser1 --class=fasgroup
# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005
  Member users: fasuser1

# ipa user-mod fasuser1 --class=
# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005
  Member users: fasuser1
# ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (4) entries.
--------------------------------------------------------
# ipa group-show fasgroup
  Group name: fasgroup
  GID: 1032200005

389-ds-base-1.4.2.13-1.fc31.x86_64
freeipa-server-4.8.6-1.fc31.x86_64

[abompard]

As of today, we don't want users to auto-join groups that require an agreement, because most groups will and we don't want users agreeing to the FCPA to join most groups. The groups removal feature may be of interest though :-)

[abompard]

I realize I misunderstood the feature in the previous comment. We do want users who sign agreement A to join a specific group such as signed_A, for example. This way we can forward the information to apps that use ipsilon and SSSD to log users in, and we can limit access to hosts based on agreement signing.

If I understand correctly this feature is blocked by https://pagure.io/freeipa/issue/8527