[Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

JR Aquino JR.Aquino at citrix.com
Tue Aug 9 22:41:14 UTC 2011 

> On Aug 9, 2011, at 5:17 AM, Martin Kosek wrote:
> Ah, this one's better. I checked the new API, seems consistent to me. I
> was thinking about the new --key attribute, looks OK. It would be great
> to have some default setting here, but since it is common for all
> grouping types, we cannot do that. Its good its at least covered in
> documentation and checked in schema.
> 
> Sending the issues I have found:
> 
> 1) freeipa.spec.in: you changed 389-ds-base Requires to a version that
> does not even exists:
> 
> -Requires(pre): 389-ds-base >= 1.2.8.0-1
> +Requires(pre): 389-ds-base >= 1.2.9.0.2
> 
> Please change it to 1.2.9.5-1 which has been released yesterday and
> which should fix our reported DS issues (BZ 723937, 725743). If we don't
> push this patch before 2.1 release I will update the 389-ds-base
> Requires myself as it contains the fixes for us.
> 
> 2) Plugin is still not being configured correctly on a replica:
> 
> This change need to be executed on both master and replica:
> 
> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> +changetype: modify
> +add: nsslapd-pluginConfigArea
> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
> 
> The initial cn=etc,$SUFFIX population should be done only on master.
> 
> 3) I see that autoMemberScope in automember plugin configuration is
> still set to $SUFFIX. I would suggest to set it for hostgroups and
> groups to cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,
> $SUFFIX, respectfully, to improve plugin search performance
> 
> 4) Automember help is not correct for ipa
> automember-default-group-set/remove commands. The API has changed there:
> 
> + Set the default target group:
> +    ipa automember-default-group-set --type=hostgroup webservers
> +    ipa automember-default-group-set --type=group ipausers
> +
> + Set the default target group:
> +    ipa automember-default-group-remove --type=hostgroup webservers
> +    ipa automember-default-group-remove --type=group ipausers
> +
> 
> 
> 5) I would fix examples for condition manipulating commands:
> 
> + Add another condition to the rule:
> +   ipa automember-add-condition --inclusive-regex=^web[1-9+]\.example\.com webservers
> +
> + Add an exclusive condition to the rule to prevent auto asignment:
> +   ipa automember-add-condition --exclusive-regex=^web5\.example\.com webservers
> +
> + Remove a condition from the rule:
> +   ipa automember-remove-condition --inclusive-regex=^www[1-9+]\.example\.com webservers
> +
> 
> Currently, the framework asks for both Attribute Key and Grouping type
> in these commands. I think it is better to have those required
> attributes already filled, so that user can just simply copy&paste
> 
> 6) I got internal error when trying to add an duplicate exclusive regex:
> # ipa automember-show --type=hostgroup webservers
>  Automember Rule: webservers
>  Inclusive Regex: fqdn=^web[1-9+].example.com
>  Exclusive Regex: fqdn=^web5.example.com
> # ipa automember-add-condition --exclusive-regex=^web5\.example\.com --type=hostgroup --key=fqdn webservers
> ipa: ERROR: an internal error has occurred
> 
> Martin

Ok New Patch attached.

I believe this addresses the above.

1. Requires(pre): 389-ds-base >= 1.2.9.5-1

2. replica-automember.ldif added for dsinstance to install during replica installs:
+dn: cn=Auto Membership Plugin,cn=plugins,cn=config
+changetype: modify
+add: nsslapd-pluginConfigArea
+nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX

3. autoMemberScope is now set for each:
groups: cn=users,cn=accounts,$SUFFIX
hostgroups: cn=computers,cn=accounts,$SUFFIX

4. Corrected examples
 Set the default target group:
    ipa automember-default-group-set --default-group=webservers hostgroup
    ipa automember-default-group-set --default-group=ipausers group

 Set the default target group:
    ipa automember-default-group-remove hostgroup
    ipa automember-default-group-remove group

 Show the default target group:
    ipa automember-default-group-show hostgroup
    ipa automember-default-group-show group

5. Corrected examples
 Add a condition to the rule:
   ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers
   ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins

 Add an exclusive condition to the rule to prevent auto asignment:
   ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers

 Remove a condition from the rule:
   ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers

 6. Correct bug for adding duplicate conditions. Included test for it in the test suite.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
Type: application/octet-stream
Size: 56146 bytes
Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110809/f76e2df1/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110809/f76e2df1/attachment.txt>

More information about the Freeipa-devel mailing list