[Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
JR Aquino
JR.Aquino at citrix.com
Tue Aug 9 22:41:14 UTC 2011
> On Aug 9, 2011, at 5:17 AM, Martin Kosek wrote:
> Ah, this one's better. I checked the new API, seems consistent to me. I
> was thinking about the new --key attribute, looks OK. It would be great
> to have some default setting here, but since it is common for all
> grouping types, we cannot do that. Its good its at least covered in
> documentation and checked in schema.
>
> Sending the issues I have found:
>
> 1) freeipa.spec.in: you changed 389-ds-base Requires to a version that
> does not even exists:
>
> -Requires(pre): 389-ds-base >= 1.2.8.0-1
> +Requires(pre): 389-ds-base >= 1.2.9.0.2
>
> Please change it to 1.2.9.5-1 which has been released yesterday and
> which should fix our reported DS issues (BZ 723937, 725743). If we don't
> push this patch before 2.1 release I will update the 389-ds-base
> Requires myself as it contains the fixes for us.
>
> 2) Plugin is still not being configured correctly on a replica:
>
> This change need to be executed on both master and replica:
>
> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config
> +changetype: modify
> +add: nsslapd-pluginConfigArea
> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
>
> The initial cn=etc,$SUFFIX population should be done only on master.
>
> 3) I see that autoMemberScope in automember plugin configuration is
> still set to $SUFFIX. I would suggest to set it for hostgroups and
> groups to cn=hostgroups,cn=accounts,$SUFFIX and cn=groups,cn=accounts,
> $SUFFIX, respectfully, to improve plugin search performance
>
> 4) Automember help is not correct for ipa
> automember-default-group-set/remove commands. The API has changed there:
>
> + Set the default target group:
> + ipa automember-default-group-set --type=hostgroup webservers
> + ipa automember-default-group-set --type=group ipausers
> +
> + Set the default target group:
> + ipa automember-default-group-remove --type=hostgroup webservers
> + ipa automember-default-group-remove --type=group ipausers
> +
>
>
> 5) I would fix examples for condition manipulating commands:
>
> + Add another condition to the rule:
> + ipa automember-add-condition --inclusive-regex=^web[1-9+]\.example\.com webservers
> +
> + Add an exclusive condition to the rule to prevent auto asignment:
> + ipa automember-add-condition --exclusive-regex=^web5\.example\.com webservers
> +
> + Remove a condition from the rule:
> + ipa automember-remove-condition --inclusive-regex=^www[1-9+]\.example\.com webservers
> +
>
> Currently, the framework asks for both Attribute Key and Grouping type
> in these commands. I think it is better to have those required
> attributes already filled, so that user can just simply copy&paste
>
> 6) I got internal error when trying to add an duplicate exclusive regex:
> # ipa automember-show --type=hostgroup webservers
> Automember Rule: webservers
> Inclusive Regex: fqdn=^web[1-9+].example.com
> Exclusive Regex: fqdn=^web5.example.com
> # ipa automember-add-condition --exclusive-regex=^web5\.example\.com --type=hostgroup --key=fqdn webservers
> ipa: ERROR: an internal error has occurred
>
> Martin
Ok New Patch attached.
I believe this addresses the above.
1. Requires(pre): 389-ds-base >= 1.2.9.5-1
2. replica-automember.ldif added for dsinstance to install during replica installs:
+dn: cn=Auto Membership Plugin,cn=plugins,cn=config
+changetype: modify
+add: nsslapd-pluginConfigArea
+nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
3. autoMemberScope is now set for each:
groups: cn=users,cn=accounts,$SUFFIX
hostgroups: cn=computers,cn=accounts,$SUFFIX
4. Corrected examples
Set the default target group:
ipa automember-default-group-set --default-group=webservers hostgroup
ipa automember-default-group-set --default-group=ipausers group
Set the default target group:
ipa automember-default-group-remove hostgroup
ipa automember-default-group-remove group
Show the default target group:
ipa automember-default-group-show hostgroup
ipa automember-default-group-show group
5. Corrected examples
Add a condition to the rule:
ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers
ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins
Add an exclusive condition to the rule to prevent auto asignment:
ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
Remove a condition from the rule:
ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers
6. Correct bug for adding duplicate conditions. Included test for it in the test suite.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
Type: application/octet-stream
Size: 56146 bytes
Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110809/f76e2df1/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110809/f76e2df1/attachment.txt>
More information about the Freeipa-devel
mailing list