Thanks! With a little tweaking for ACS 5 (username in addition to screen_name) and postgresql (acs__magic_object_id) this worked.
Here's what I think is confusing. The object hierarchy and, indeed, the code of acs_user__new would seem to imply that you can create a user out of an existing person (since acs_user__new checks for this). If you only do this much, the user is created (i.e. the row in the users table) but the user still doesn't show up, for instance, on /acs-admin/users/complex-search?target=one&only_authorized_p=0, because these steps still need to be performed:
relation_add -member_state $member_state "membership_rel" $magic_object_id $user_id
permission::grant -party_id $user_id -object_id $user_id -privilege "read"
permission::grant -party_id $user_id -object_id $user_id -privilege "write"
acs_user_extension::user_new -user_id $user_id
Since you probably never add a user without adding it to "Registered Users" and granting auto-read and -write privilege, shouldn't these steps be moved into acs_user__new?
