Hi,
I have been thinking about this for a while now, and a question on our
IRC channel earlier today
got me thinking about it again.
Our current implementation for attribute mapping in provider plugins
works for basic cases, but has
a set of limitations.
For example, it is not possible to map when the attribute is more than
2 levels deep, and the only
mapping we support is a literal mapping of one attribute to another.
In the past, we discussed adding a more extensive mapping and
filtering system system, but that was
deemed as being too complicated to set up for admins.
I was thinking that we might be able to make the attribute mapping
quite a bit more powerful by adding
some indicators after which we would parse the values differently.
Two that I would like to propose are " and !, for respectively literal
text and executed python code.
So, for example, to always provide the text "mycompany" via the
attribute companyname, one would
configure the "companyname" attribute to be mapped to: "mycompany".
If they would want an even more powerful system, they could do
something like !return username.lower()
to get it processed by Python.
If none of those characters are detected in the first place, it would
do a standard recursive lookup, like
we do now. To make it possible to map more than two levels, we could
allow strings like _extras/ldap/uid.
With this setup, admins who need it simple can continue to use their
current configuration, but admins that
need more power would be able to get it.
This is just a thought, but does anyone have feedback on it?
Regards,
Patrick Uiterwijk