Skip to content

FreeIPA Account Syncing

The FreeIPA plugin for ColdFront allows for the syncing of unix group membership between ColdFront allocations and FreeIPA.

coldfront freeipa_check --help
usage: coldfront freeipa_check [-h] [-s] [-u USERNAME] [-g GROUP] [-n] [-x]
                               [--version] [-v {0,1,2,3}]
                               [--settings SETTINGS] [--pythonpath PYTHONPATH]
                               [--traceback] [--no-color] [--force-color]

Sync groups in FreeIPA

optional arguments:
  -h, --help            show this help message and exit
  -s, --sync            Sync changes to/from FreeIPA
  -u USERNAME, --username USERNAME
                        Check specific username
  -g GROUP, --group GROUP
                        Check specific group
  -n, --noop            Print commands only. Do not run any commands.
  -x, --header          Include header in output
  --version             show program's version number and exit
  -v {0,1,2,3}, --verbosity {0,1,2,3}
                        Verbosity level; 0=minimal output, 1=normal output,
                        2=verbose output, 3=very verbose output
  --settings SETTINGS   The Python path to a settings module, e.g.
                        "myproject.settings.main". If this isn't provided, the
                        DJANGO_SETTINGS_MODULE environment variable will be
                        used.
  --pythonpath PYTHONPATH
                        A directory to add to the Python path, e.g.
                        "/home/djangoprojects/myproject".
  --traceback           Raise on CommandError exceptions
  --no-color            Don't colorize the command output.
  --force-color         Force colorization of the command output.

Running the freeipa_check tool will compare all user accounts with all active allocations that have at least one freeipa_group attribute. This tool can be run on a single user or group or against the whole ColdFront user database. The tool will display what changes need to be made, either adding or removing the user(s) from the group(s), as shown here. 

coldfront freeipa_check -n -x -u ccrgst72
ipa: WARNING: NOOP enabled
username        add_missing_freeipa_group_membership    remove_existing_freeipa_group_membership        freeipa_status  coldfront_status
ipa: WARNING: User ccrgst72 should be added to freeipa group: testgroup
ccrgst72        testgroup               Enabled Active

To make the changes, remove the noop mode (-n) and add the sync mode (-s). This can be setup in a cron to run periodically and make the updates automatically. This will ensure access to resources based on unix group are removed when allocations expire or are revoked.