[Freeipa-devel] [PATCH] 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

JR Aquino JR.Aquino at citrix.com
Mon Aug 22 20:19:22 UTC 2011 

On Aug 19, 2011, at 2:16 AM, Martin Kosek wrote:

> Hi JR,
> 
> I get to your plugin again. You can see my findings below.
> 
> On Tue, 2011-08-09 at 22:41 +0000, JR Aquino wrote:
> ...
>> Ok New Patch attached.
>> 
>> I believe this addresses the above.
>> 
>> 1. Requires(pre): 389-ds-base >= 1.2.9.5-1
> 
> 1) Please, remove the change to FreeIPA spec, its no longer needed since
> we shipped version 2.1 and it already requires sufficient 389-ds-base
> version.

Done.

> 
>> 
>> 2. replica-automember.ldif added for dsinstance to install during replica installs:
>> +dn: cn=Auto Membership Plugin,cn=plugins,cn=config
>> +changetype: modify
>> +add: nsslapd-pluginConfigArea
>> +nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
> 
> 2) OK. I would do it a bit different - have one LDIF for
> nsslapd-pluginConfigArea setting and second for creating the base
> automember structure. Master would then use both LDIFs and a replica
> both of them. We would then be without duplicates in LDIF. But your way
> acceptable.

Please allow the 2 ldif's in as they are.

I tried to split them to leverage cn=config change in common, however, I encountered a 389 ds bug.
I will be opening a bug with Nathan in BZ to address the bug.  If you feel strongly, we can either:

A: Accept the two LDIFs as is and revisit after a newer version of 389 ds is available.
B: Wait until 389 ds addresses the bug and make the minor modification you suggested above.

> 
>> 
>> 3. autoMemberScope is now set for each:
>> groups: cn=users,cn=accounts,$SUFFIX
>> hostgroups: cn=computers,cn=accounts,$SUFFIX
> 
> OK
> 
>> 
>> 4. Corrected examples
>> Set the default target group:
>>    ipa automember-default-group-set --default-group=webservers hostgroup
>>    ipa automember-default-group-set --default-group=ipausers group
>> 
>> Set the default target group:
>>    ipa automember-default-group-remove hostgroup
>>    ipa automember-default-group-remove group
>> 
>> Show the default target group:
>>    ipa automember-default-group-show hostgroup
>>    ipa automember-default-group-show group
>> 
>> 5. Corrected examples
>> Add a condition to the rule:
>>   ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9+]\.example\.com webservers
> 
> 3) Please fix the regex to ^web[1-9]+\.example\.com. I think its just a
> mistake - right now for example a host web11.example.com does not match.

Fixed

> 
>>   ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins
>> 
> 
> 4) I think you wanted to use devel rule instead of non-existent "admins"
> automember rule.
> 

You are correct, this has been fixed.

>> Add an exclusive condition to the rule to prevent auto asignment:
>>   ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
>> 
>> Remove a condition from the rule:
>>   ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^www[1-9+]\.example\.com webservers
> 
> 5) The same as in 3)

Fixed

> 
>> 
>> 6. Correct bug for adding duplicate conditions. Included test for it in the test suite.
>> 
> 
> OK. Here are my additional findings:
> 
> 6) There some more example commands in doc which are not complete and
> require some user typing:
> 
> Display a automember rule:
>    ipa automember-show webservers
> 
> Delete an automember rule:
>    ipa automember-del webservers
> 
> Grouping type option is missing

Fixed.  Added the appropriate flags in the examples

> 
> 7) I get internal error when running examples from the automember doc:
> # ipa automember-add --type=group devel
> -----------------------------
> Added automember rule "devel"
> -----------------------------
>  Automember Rule: devel
> # ipa automember-add-condition --key=manager --type=group --inclusive-regex=^mscott admins
> ipa: ERROR: an internal error has occurred

Fixed.

> 
> 
> That's all. The plugin gets better with every version, I think we may
> soon be ready for pushing - when all of the issues are resolved.
> 
> Martin
> 

Please let me know how it looks now.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
Type: application/octet-stream
Size: 56152 bytes
Desc: freeipa-jraquino-0034-Create-FreeIPA-CLI-Plugin-for-the-389-Auto-Membershi.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110822/440c39f5/attachment.obj>

More information about the Freeipa-devel mailing list