I thought I should let everyone know what ended up happening with this. It turns out
that the script is now run as the ipaapi user instead of as root (like it either used to
or I thought it used to). We changed permissions on some files that the script needed
and now it works again.
On Fri, Jan 12, 2018 at 08:51:38PM +0200, Alexander Bokovoy wrote:
> On pe, 12 tammi 2018, Bryce Larson via FreeIPA-users wrote:
> > We have function that are supposed to be called in a plugin from a
post_callback
> >
> > It's registered with:
> >
> > user.user_add.register_post_callback(useradd_postcallback)
> >
> > The plugin is at
/usr/lib/python2.7/site-packages/ipaserver/plugins/csAccount.py
> >
> > It doesn't seem to be called at all, it used to. I'm not sure if it
> > was upgrading from 4.3 to 4.4, or from 4.4 to 4.5 that it stopped
> > working, but I think it was the upgrade from 4.4 to 4.5. I'm pretty
> > sure the pre_callback is still working.
> >
> > Does anyone know why a post_callback would just stop working after upgrading?
> It should be working. Current code to call post callbacks didn't change
> for quite few years.
>
> ipaserver/plugins/baseldap.py:
>
> class LDAPCreate:
> ....
> def execute(...)
> ....
> for callback in self.get_callbacks('post'):
> entry_attrs.dn = callback(
> self, ldap, entry_attrs.dn, entry_attrs, *keys, **options)
>
>
> Looking at get_callbacks(), it is implemented this way, the code was
> moved around in 2016 but it is basically the same as it was before:
>
> @classmethod
> def get_callbacks(cls, callback_type):
> """Yield callbacks of the given type"""
> # Use one shared callback registry, keyed on class, to avoid problems
> # with missing attributes being looked up in superclasses
> callbacks = _callback_registry.get(callback_type, {}).get(cls, [None])
> for callback in callbacks:
> if callback is None:
> try:
> yield getattr(cls, '%s_callback' % callback_type)
> except AttributeError:
> pass
> else:
> yield callback
>
> where callback type is either 'pre', 'post', or 'exc', so if
> pre-callbacks are working, then post-callbacks should work as well
> because the are called in the same way.
>
> You can enable server-side debugging (add 'debug=True') to
> /etc/ipa/default.conf or to /etc/ipa/server.conf (the latter would
> affect only server, the former would affect CLI too).
>
> I just tested this with RHEL 7.4 with the plugin below:
>
> ----------------------------------------------------------------------
> from ipaserver.plugins import user
> import logging
>
> def my_post_callback(self, ldap, dn, entry_attrs, *keys, **options):
> logging.error("my_post_callback called with dn={}".format(dn))
> return dn
>
> user.user_add.register_post_callback(my_post_callback)
> -----------------------------------------------------------------------
>
> [root@rh72s ~]# ipa user-add my_foo_bar3
> First name: Test
> Last name: Bar3
> ------------------------
> Added user "my_foo_bar3"
> ------------------------
> User login: my_foo_bar3
> First name: Test
> Last name: Bar3
> Full name: Test Bar3
> Display name: Test Bar3
> Initials: TB
> Home directory: /home/my_foo_bar3
> GECOS: Test Bar3
> Login shell: /bin/sh
> Principal name: my_foo_bar3(a)T.IPA.COOL
> Principal alias: my_foo_bar3(a)T.IPA.COOL
> Email address: my_foo_bar3(a)t.ipa.cool
> UID: 129000016
> GID: 129000016
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
>
> Here is what I've got in the httpd's error_log:
>
> ERROR:root:my_post_callback called with
dn=uid=my_foo_bar3,cn=users,cn=accounts,dc=t,dc=ipa,dc=cool
> [Fri Jan 12 20:49:16.013460 2018] [:error] [pid 7404] ipa: INFO: [jsonserver_session]
admin(a)T.IPA.COOL: user_add/1(u'my_foo_bar3', givenname=u'Test',
sn=u'Bar3', version=u'2.228'): SUCCESS
>
> --
> / Alexander Bokovoy