[Freeipa-devel] [PATCH] 817 Add option to wait for values
Martin Kosek
mkosek at redhat.com
Mon Jul 18 08:48:55 UTC 2011
On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote:
> >>> Rob Crittenden wrote:
> >>>> Rob Crittenden wrote:
> >>>>> 389-ds postop plugins, such as the managed entry and memberof plugins,
> >>>>> add values after the data has been returned to the client. In the case
> >>>>> of the managed entry plugin this affects the parent entry as well
> >>>>> (adds
> >>>>> an objectclass value).
> >>>>>
> >>>>> This wreaks havoc on our tests as the values don't match what we
> >>>>> expect.
> >>>>>
> >>>>> The solution is to wait for the postop plugins to finish their work,
> >>>>> then return. I've added this as an option. The downside is it is going
> >>>>> to naturally slow things down, so it is off by default.
> >>>>>
> >>>>> It is currently only used in the hostgroup plugin.
> >>>>>
> >>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and
> >>>>> set it
> >>>>> to True and all the current tests will pass (assuming you apply
> >>>>> patches
> >>>>> 814-816 as well).
> >>>>>
> >>>>> So now we won't have any excuses for missing test failures in the unit
> >>>>> tests...
> >>>>>
> >>>>> rob
> >>>>
> >>>> Bah, found a small problem. Self-NACK.
> >>>>
> >>>> rob
> >>>
> >>> Updated patch attached.
> >>>
> >>> Note that I don't think there is a way for us to handle things like
> >>> memberof_indirect. We wouldn't know to wait.
> >>>
> >>> rob
> >>
> >> Works fine for the hostgroup entry. It's good it can be switched on/off.
> >>
> >> But what about other managed entries, like user entry? Would it make
> >> sense to add a wait here too? Or maybe something systematic to baseldap
> >> so that we wouldn't have to implement this wait to every managed entry.
> >>
> >> Martin
> >>
> >
> > I can certainly add it to users to check for managed groups. Making it
> > generic would be difficult because some are conditional (such as users).
> >
> > rob
>
> Added support for managed users as well.
>
> rob
Waiting for managed users work too. However, I have just noticed that
the entire solution works only partially.
It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP
attributes "mepmanagedentry" and "memberof" to the <command>-add result:
# ipa hostgroup-add hgroup3 --desc=foo --all --raw
-------------------------
Added hostgroup "hgroup3"
-------------------------
dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: hgroup3
description: foo
ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
objectclass: ipaobject
objectclass: ipahostgroup
objectclass: nestedGroup
objectclass: groupOfNames
objectclass: top
objectclass: mepOriginEntry
# ipa hostgroup-show hgroup3 --all --raw
dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: hgroup3
description: foo
ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <====
mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <====
objectclass: ipaobject
objectclass: ipahostgroup
objectclass: nestedGroup
objectclass: groupOfNames
objectclass: top
objectclass: mepOriginEntry
# ipa user-add --first=Foo --last=Bar fbar2 --all --raw
------------------
Added user "fbar2"
------------------
dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
uid: fbar2
givenname: Foo
sn: Bar
cn: Foo Bar
displayname: Foo Bar
initials: FB
homedirectory: /home/fbar2
gecos: Foo Bar
loginshell: /bin/sh
krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
uidnumber: 524600004
gidnumber: 524600004
ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: inetuser
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: ipaobject
objectclass: mepOriginEntry
# ipa user-show fbar2 --all --raw
dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
uid: fbar2
givenname: Foo
sn: Bar
cn: Foo Bar
displayname: Foo Bar
initials: FB
homedirectory: /home/fbar2
gecos: Foo Bar
loginshell: /bin/sh
krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
uidnumber: 524600004
gidnumber: 524600004
nsaccountlock: False
ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <====
mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com <====
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: inetuser
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: ipaobject
objectclass: mepOriginEntry
I think there attributes should be added in post_callback (and to the
tests).
Martin
More information about the Freeipa-devel
mailing list