[Freeipa-devel] Fw: RFC wrt little snag in LDAPCreate when ipa_uuid manipulates the DN on entry add
Simo Sorce
ssorce at redhat.com
Wed Oct 27 16:41:31 UTC 2010
I just realized this was not sent to the list, but given it seem to work
and fix my issues, here it is, I trust Pavel didn't send it to the list
only by mistake.
If not apologies.
Simo.
Begin forwarded message:
Date: Wed, 27 Oct 2010 15:35:01 +0200
From: Pavel Zuna <pzuna at redhat.com>
To: Simo Sorce <ssorce at redhat.com>
Subject: Re: [Freeipa-devel] RFC wrt little snag in LDAPCreate when
ipa_uuid manipulates the DN on entry add
On 10/27/2010 05:21 AM, Simo Sorce wrote:
>
> So, I have been working on this ipa_uuid plugin as of late and one of
> the last tasks was to let it modify the RDN if ipaUniqueID is part of
> the DN of an entry we want to create.
>
> Example:
> dn: ipauniqueid=autogenerate,cn=hbac,dc=...
> cn: foo rule
> hbactype: allow
> ...
>
> 'autogenerate' is the magic value that makes the ipa_uuid plugin
> generate a uuid and set it on the entry.
>
> The problem is that LDAPCreate, after adding the entry will try to
> search it back immediately using the DN we passed in. This search will
> fail as the DN that is stored in LDAP is different (it has the
> generated uuid instead of 'autogenerate').
>
> So ideas on how to gracefully handle this are welcome.
>
> I discussed of 2 with Rob on IRC but we'd like more inputs (Pavel,
> that would be directed at you :-).
>
> 1. Ignore the error in calls that pass in a DN containing ipauniqueid
> as the RDN and perform a new search.
>
> 2. modify LDAPCreate so that we can pass in a filter. If the caller
> passes in a filter we use that instead of the DN to search the entry
> back.
>
> Simo.
>
This patch introduces a new variable in LDAPObject called
rnd_attribute. It should be set to the attribute used in the entry DN
if it differs from it's primary key. Example: 'ipauniqueid' is the RDN
attribute for HBAC rules, but the primary key is 'cn'.
I tested it very quickly, because I have to leave right now. It seemed
to work.
It should apply on top of your tree from fedorapeople.
Try it out please, I'm running out of time and will get back to it
later.
Pavel
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pzuna-freeipa-0034-rdnattr.patch
Type: text/x-patch
Size: 9159 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101027/b81b0f4b/attachment.bin>
More information about the Freeipa-devel
mailing list