Use case:

When users or hosts are added to IPA the administrator then needs to put him into a particular groups. There are several options how this can be done. It can be left for every deployment to implement their own logic using CLI, however it is not viewed as the best approach by IPA users.

Description:

This bug calls for creation of a way via some kind of IPA plugin to automatically place users into user groups and hosts into hosts groups (and may be handle other relations like this later). It seems logical to make it generic for all sorts of entries. Then it is probably going to be a DS plugin rather than a management framework plugin.

Proposed draft design

Create a more generic auto membership plugin. This DS plugin will
inspect the entry being created and would automatically place it into
some other objects as a member.
The configuration on this plugin will be located in a separate place in
the tree and not extend any existing objects.

The configuration entries will look something like this:

- appliesto: <objectclass the rule applies to>
- enabled: <whether the rule is enabled or disabled>
- description: <explanation of the meaning of the rule>
- ruletype: <filter or regex. Gives ability to use an LDAP filter or regex
- expression to check if the entry mathes the rule>
- filter: <LDAP filter to check if the incoming record satisfies>  <-it is redundant a bit since objectclass can be a part of filter but his way it would be easier to mange rules per class of object in UI/CLI
- regex: <expression that acts as filter, for example "fqdn=^www[1-9]+\.example\.com". We can support more complex expressions with OR & AND if we find it useful>
- targetobj: <objectclass of the object the entry should become a member of>
- memberAttr: <what is the attribute name for the member attribute of the target object>
- targetnames: <names of the target objects that the entry should become a member of>

Example:

appliesto: ipaHost
enabled: true
description: Place hosts into the proper host groups
ruletype: regex
regex: "fqdn=^www[1-9]+\.example\.com"
targetobj: ipaHostGroup
memberAttr: member
targetnames: webservers
targetnames: lab_machines

This rule will make any newly created host entry to be automatically placed as a member of the host groups "webservers" and "lab_machines". However using same mechanism you can create rules that would automatically place other entries as members of other objects, for example users can be placed into groups based on the badge id or on the location they are in etc.

I think that kind of the plugin will be more attractive and might be
even useful for a general purpose DS, not only IPA.