[Freeipa-devel] [PATCH] 817 Add option to wait for values

Martin Kosek mkosek at redhat.com
Mon Jul 18 08:48:55 UTC 2011 

On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote:
> >>> Rob Crittenden wrote:
> >>>> Rob Crittenden wrote:
> >>>>> 389-ds postop plugins, such as the managed entry and memberof plugins,
> >>>>> add values after the data has been returned to the client. In the case
> >>>>> of the managed entry plugin this affects the parent entry as well
> >>>>> (adds
> >>>>> an objectclass value).
> >>>>>
> >>>>> This wreaks havoc on our tests as the values don't match what we
> >>>>> expect.
> >>>>>
> >>>>> The solution is to wait for the postop plugins to finish their work,
> >>>>> then return. I've added this as an option. The downside is it is going
> >>>>> to naturally slow things down, so it is off by default.
> >>>>>
> >>>>> It is currently only used in the hostgroup plugin.
> >>>>>
> >>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and
> >>>>> set it
> >>>>> to True and all the current tests will pass (assuming you apply
> >>>>> patches
> >>>>> 814-816 as well).
> >>>>>
> >>>>> So now we won't have any excuses for missing test failures in the unit
> >>>>> tests...
> >>>>>
> >>>>> rob
> >>>>
> >>>> Bah, found a small problem. Self-NACK.
> >>>>
> >>>> rob
> >>>
> >>> Updated patch attached.
> >>>
> >>> Note that I don't think there is a way for us to handle things like
> >>> memberof_indirect. We wouldn't know to wait.
> >>>
> >>> rob
> >>
> >> Works fine for the hostgroup entry. It's good it can be switched on/off.
> >>
> >> But what about other managed entries, like user entry? Would it make
> >> sense to add a wait here too? Or maybe something systematic to baseldap
> >> so that we wouldn't have to implement this wait to every managed entry.
> >>
> >> Martin
> >>
> >
> > I can certainly add it to users to check for managed groups. Making it
> > generic would be difficult because some are conditional (such as users).
> >
> > rob
> 
> Added support for managed users as well.
> 
> rob

Waiting for managed users work too. However, I have just noticed that
the entire solution works only partially.

It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP
attributes "mepmanagedentry" and "memberof" to the <command>-add result:

# ipa hostgroup-add hgroup3 --desc=foo --all --raw
-------------------------
Added hostgroup "hgroup3"
-------------------------
  dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: hgroup3
  description: foo
  ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
  objectclass: ipaobject
  objectclass: ipahostgroup
  objectclass: nestedGroup
  objectclass: groupOfNames
  objectclass: top
  objectclass: mepOriginEntry
# ipa hostgroup-show hgroup3 --all --raw
  dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  cn: hgroup3
  description: foo
  ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
  memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com   <====
  mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com   <====
  objectclass: ipaobject
  objectclass: ipahostgroup
  objectclass: nestedGroup
  objectclass: groupOfNames
  objectclass: top
  objectclass: mepOriginEntry

# ipa user-add --first=Foo --last=Bar fbar2 --all --raw
------------------
Added user "fbar2"
------------------
  dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  uid: fbar2
  givenname: Foo
  sn: Bar
  cn: Foo Bar
  displayname: Foo Bar
  initials: FB
  homedirectory: /home/fbar2
  gecos: Foo Bar
  loginshell: /bin/sh
  krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
  uidnumber: 524600004
  gidnumber: 524600004
  ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
  krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: mepOriginEntry
# ipa user-show fbar2 --all --raw
  dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  uid: fbar2
  givenname: Foo
  sn: Bar
  cn: Foo Bar
  displayname: Foo Bar
  initials: FB
  homedirectory: /home/fbar2
  gecos: Foo Bar
  loginshell: /bin/sh
  krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
  uidnumber: 524600004
  gidnumber: 524600004
  nsaccountlock: False
  ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
  krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com   <====
  mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com   <====
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: mepOriginEntry


I think there attributes should be added in post_callback (and to the
tests).

Martin

More information about the Freeipa-devel mailing list