[Freeipa-devel] [PATCH] Add make_xxx_dn routines for policy
Rob Crittenden
rcritten at redhat.com
Wed Feb 11 18:55:58 UTC 2009
Jason Gerard DeRose wrote:
> On Tue, 2009-02-10 at 14:07 -0500, Rob Crittenden wrote:
>> Jakub Hrozek wrote:
>>>
>> I'm going to ack this but I suspect we'll rework it later. This isn't a
>> criticism of the implementation but 3rd party plugin authors aren't
>> going to have a way to integrate the make_xxx_dn into the ldap backend.
>>
>> There must be a more generic way to do this than to write a slew of
>> 2-line functions like we have now. But since you were just following the
>> convention that Jason and I started lets get this in.
>
> I think I was the one who starting this bad convention, but I was just
> starting to understand what we needed to do LDAP-wise.
No worries, I'm not passing an blame. When I added a 10th one I realized
a pattern had formed and that is always a time for optimization :-)
> How about something like this:
>
> def get_container(self, name):
> if name in self.etc: # Need to implement this etc property
> return self.etc[name]
> return self.env['container_%s' % name]
>
> def make_dn(self, cn, container):
> return 'cn=%s,%s,%s' % (
> self.dn.escape_dn_chars(cn),
> self.get_container(container),
> self.api.env.basedn,
> )
>
> I'm still planning on implementing a ldap.etc property what will
> retrieve the cn=etc entry from ldap the first time it is accessed during
> a given request, so that the entry is only pulled at most once per
> request.
We aren't actually storing this stuff in LDAP yet nor am I sure how/if
we will. It does add a bit of flexibility but are these things ever
going to change (and on-the-fly)?
I'm not 100% sure all DNs are going to be this formulaic though we can
probably handle those as 1-offs and do the majority this way. Perhaps a
bit more generically like:
def make_dn(self, attr, value, container):
return '%s=%s,%s,%s' % (
attr,
self.dn.escape_dn_chars(value),
self.get_container(container),
self.api.env.basedn,
)
> Anyway, if the container is found in the etc entry, that value is used.
> Otherwise the static config/env value is used.
>
> Does this sound reasonable? How are the container attributes named in
> the etc entry?
That's the tricky bit I guess. We would probably end up moving the
hardcoding from one place to another (in the form of LDAP attributes).
rob
More information about the Freeipa-devel
mailing list