[Freeipa-devel] [PATCH] Add new pwpolicy plugin based on baseldap classes

Rob Crittenden rcritten at redhat.com
Wed May 5 19:01:06 UTC 2010 

Pavel Zuna wrote:
> On 04/27/2010 09:49 PM, Rob Crittenden wrote:
>> Pavel Zůna wrote:
>>> Don't mind the numbering. This is a completely independent patch.
>>>
>>> It adds a new pwpolicy plugin based on baseldap.py classes. It has the
>>> same functionality as the current pwpolicy plugin, but a more clean
>>> and consistent interface, fine grained search capabilities, etc.
>>>
>>> This is actually an updated version of a patch I released some time
>>> ago, but it never got fully reviewed.
>>>
>>> Pavel
>>
>> The original pwpolicy module took group policy via the --group option,
>> yours takes group as the first argument (if any). My thought on this was
>> that at some point someone would want per-user password policy so we
>> could add a --user option. If this isn't forseen as needed then using
>> the first argument for group is probably easier to grok.
>>
>> Had a failure:
>> $ ./ipa pwpolicy2-mod g1 --priority=2
>> ipa: ERROR: an internal error has occurred
>>
>> File "/home/rcrit/redhat/freeipa-ca/ipalib/plugins/pwpolicy2.py", line
>> 99, in pre_callback
>> del entry_attrs['cn']
>> KeyError: 'cn'
>>
>> rob
> Fixed.
> 
> I also noticed another minor bug. When only priority is modified by 
> pwpolicy2-mod, the EmptyModlist exception is raised. This is because 
> priority is stored in a different entry that is managed by cosentry_* 
> commands and there's nothing left to be changed for the policy entry. 
> The command does it's job, but reports an error and there is no way to 
> catch it without ugly hacks. I'm going to implement a new callback type 
> for baseldap.py classes for the purpose of error handling/exception 
> catching.
> 
> Pavel

I was going to hold off pushing this until the error handling fix could 
be made but since this is currently riding alongside the original 
pwpolicy plugin I'm going to go ahead and push this to make future 
merges easier.

Once we get the error handling done we'll drop the old pwpolicy plugin 
and rename this one.

rob

More information about the Freeipa-devel mailing list