[Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy

Rob Crittenden rcritten at redhat.com
Wed Feb 11 18:55:58 UTC 2009 

Jason Gerard DeRose wrote:
> On Tue, 2009-02-10 at 14:07 -0500, Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>>  
>> I'm going to ack this but I suspect we'll rework it later. This isn't a 
>> criticism of the implementation but 3rd party plugin authors aren't 
>> going to have a way to integrate the make_xxx_dn into the ldap backend.
>>
>> There must be a more generic way to do this than to write a slew of 
>> 2-line functions like we have now. But since you were just following the 
>> convention that Jason and I started lets get this in.
> 
> I think I was the one who starting this bad convention, but I was just
> starting to understand what we needed to do LDAP-wise.

No worries, I'm not passing an blame. When I added a 10th one I realized 
a pattern had formed and that is always a time for optimization :-)

> How about something like this:
> 
>     def get_container(self, name):
>         if name in self.etc:  # Need to implement this etc property
>             return self.etc[name]
>         return self.env['container_%s' % name]
> 
>     def make_dn(self, cn, container):
>         return 'cn=%s,%s,%s' % (
>             self.dn.escape_dn_chars(cn),
>             self.get_container(container),
>             self.api.env.basedn,
>         )
> 
> I'm still planning on implementing a ldap.etc property what will
> retrieve the cn=etc entry from ldap the first time it is accessed during
> a given request, so that the entry is only pulled at most once per
> request.

We aren't actually storing this stuff in LDAP yet nor am I sure how/if 
we will. It does add a bit of flexibility but are these things ever 
going to change (and on-the-fly)?

I'm not 100% sure all DNs are going to be this formulaic though we can 
probably handle those as 1-offs and do the majority this way. Perhaps a 
bit more generically like:

     def make_dn(self, attr, value, container):
          return '%s=%s,%s,%s' % (
              attr,
              self.dn.escape_dn_chars(value),
              self.get_container(container),
              self.api.env.basedn,
          )

> Anyway, if the container is found in the etc entry, that value is used.
> Otherwise the static config/env value is used.
> 
> Does this sound reasonable?  How are the container attributes named in
> the etc entry?

That's the tricky bit I guess. We would probably end up moving the 
hardcoding from one place to another (in the form of LDAP attributes).

rob

More information about the Freeipa-devel mailing list