[Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend.
Rob Crittenden
rcritten at redhat.com
Wed May 13 20:04:49 UTC 2009
Pavel Zuna wrote:
> Rob Crittenden wrote:
>> Pavel Zuna wrote:
>>> Rob Crittenden wrote:
>>>> Pavel Zuna wrote:
>>>>> Rob Crittenden wrote:
>>>>>> Pavel Zuna wrote:
>>>>>>> By the way, there's a little bug I discovered while testing this
>>>>>>> plugin. It affects the old group plugin as well. When trying to
>>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated
>>>>>>> automatically resulting in a object violation LDAP error.
>>>>>>> Solution is to generate it ourselves, but I didn't know how it
>>>>>>> works, so I commented that part out for now. (/FIXME in vim)
>>>>>>>
>>>>>>
>>>>>> This should be fixed in FDS 1.2. Can you update and give it a try?
>>>>>>
>>>>>> rob
>>>>> Sure, just updated and you're right, it works. :)
>>>>> Updated patch attached.
>>>>>
>>>>> Pavel
>>>>
>>>> nack. This won't handle someone using group-mod to set a specific
>>>> gidnumber. The posixGroup objectclass won't be added.
>>>>
>>>> rob
>>> Fixed patch attached.
>>>
>>> Pavel
>>
>> The basegroup2 part looks ok but nack on group2.
>>
>> I think we should stick with using lower-case attribute names as a
>> rule of thumb rather than camel case. In any case you test for the
>> string posixGroup is in the list of objectclasses, this test needs to
>> be case insensitive.
> When no attributes to retrieve are specified, python-ldap retrieves them
> all in the original form - camel case. If we specify them, then it
> returns them in the same form as we requested them. The new LDAP backend
> doesn't use CIDicts anymore, but only the normal python dict type, so
> everything is case sensitive. Of course I can make it return attribute
> names always as lowercase if that's what we want.
I think we need consistent naming otherwise all sorts of odd bugs can
creep in.
>> I also wonder if we should be using ldap.get_entry(). Why use this
>> over group-show?
> It's faster, because we call get_entry directly and because we can
> request objectClass attribute only. Why invoke an IPA command instead of
> a making a direct call?
Well, I felt the same way but Jason convinced me that by limiting the
places we do actual LDAP calls will be beneficial in the long-run. The
command is run internally, not over XML-RPC, so there isn't a whole lot
of additional overhead.
Part of the idea, which we haven't really utilized much yet, is to try
to make the backend easily replacable.
>
>> I'm not sure if the logic around setting gidnumber is right. If you
>> set the gidnumber but aren't using the --posix flag it looks like it
>> will always append posixgroup to the list of objectclasses. I'm pretty
>> sure the LDAP server is going to reject the update. I suppose making a
>> list(set(objectclasses)) would work for de-duping.
> You're right, it's broken. I'll fix it.
>
> Pavel
ok
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090513/9b672b48/attachment.bin>
More information about the Freeipa-devel
mailing list