[Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

Thu Feb 17 18:12:45 UTC 2011

On 2/17/11 3:23 AM, "Jan Zelený" <jzeleny at redhat.com> wrote:

>JR Aquino <JR.Aquino at citrix.com> wrote:
>> This patch fixes the netgroup plugin's behavior of adding duplicate
>>entries
>> when the managed entry plugin creates a netgroup with a mepManagedEntry
>> This problem is documented in ticket:
>> https://fedorahosted.org/freeipa/ticket/963
>> 
>> As noted by Endi for issue #3 in the History:
>> "3. Just out of curiosity, I tried adding a netgroup with the same name
>>as
>> the hostgroup. I expected it to conflict with the managed netgroup, but
>>it
>> actually worked. Searching the directory will return 2 netgroups with
>>the
>> same name:"
>> 
>> Historically the netgroup plugin had inappropriately defined:
>>rdn_attribute
>> = 'ipauniqueid' This caused the ability of duplication with the creation
>> of native netgroups using the ipaUniqueId as the DN and as the Managed
>> Entry netgroups utilizing the cn as the DN.
>> 
>> Patch includes adjustments for the netgroup plugin and corresponding
>> test_netgroup_plugin
>> 
>> Please verify that the items requested in #963 are now complete and
>>please
>> confirm that the corresponding tests all pass.
>
>One test fails:
>FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
>u'netgroup2' 
>from netgroup u'netgroup1'
>
>Command ipa host-show still shows:
>Member of netgroups: testhostgroup
>
>Also a little bit of nitpicking, I think the changed code in chunk 2
>would 
>better look something like this:
>
>search_kw = {}
>search_kw['objectclass'] = ['mepManagedEntry']
>if not options['private']:
>    local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
>else:
>    local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
>filter = ldap.combine_filters((local_filter, filter),
>rules=ldap.MATCH_ALL)
>
>--
>Jan

It was determined that the ipauniqueid is required for the DN on these
objects.
It's an ipaAssociation which uses it as the rdn, if we change the problems
cascade

This patch has now changed to reflect the optimization in the netgroup
search instead.
It provides a cleaner method of performing a netgroup search for native
netgroups and allows for the --private search to only display the
mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
would return ALL netgroups.

This means there is no need to modify test_netgroup_plugin.

Please verify that the optimization / bugfix passes the standard
test_netgroup_plugin.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch
Type: application/octet-stream
Size: 1445 bytes
Desc: freeipa-jraquino-0019-Cleanup-for-netgroup-search.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110217/036db0ff/attachment.obj>