Thank you very much, everything worked as expected!
I just have a couple of follow-up questions:
Am I correct in understanding that this only works if the method is exposed on a D-Bus interface like
org.freeipa.server, or another one explicitly defined in theoddjobd.conf.dconfiguration?Also, I'm wondering about debugging: I noticed that using
print()doesn’t produce any output, likely because the plugin runs under Apache with no access to stdout. What is the recommended way to debug or inspect variables in this case? Should I useapi.logor is there a better approach?
Thanks again for your help!
On Аўт, 13 мая 2025, Данила Скачедубов via FreeIPA-users wrote:
Good day!
I am writing a plugin for ipaserver and would like to know if I can
implement the creation/editing of files/folders in this plugin? I tried to
find such practices in other plugins but couldn't find any.
Could you please tell me if I can do this at all, and if yes, where can I
see an example of how to properly implement this, for example, using the
os library?
I would also like to ask which user permissions this will run under, and
what is the most effective way to debug code during development?--
IPA API endpoint runs under 'ipaapi' user under Apache server.
It has no particular rights, so in order to escalate privileges we use
oddjobd. You can look at `install/oddjob/` in the source code. For
example, `install/oddjob/org.freeipa.server.config-enable-sid.in` script
is configured using `install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in` oddjobd
configuration file. It is then called from `config_mod._enable_sid()`
via DBUS call to oddjob service. There are few nuances there if you need
to pass some parameters as oddjobd-executed helpers cannot have variable
arguments, so we have to define a max possible set of arguments and pad
them in the DBUS call.
The helper script executed through the oddjobd interface will run as
root and must have proper SELinux policy context configured:
$ git grep oddjob selinux
selinux/ipa.fc:/usr/libexec/ipa/oddjob/com\.redhat\.idm.* -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
selinux/ipa.fc:/usr/libexec/ipa/oddjob/org\.freeipa.* -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
selinux/ipa.te: oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
selinux/ipa.te: type oddjob_t;
selinux/ipa.te: ipa_helper_noatsecure(oddjob_t)
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
