[Freeipa-devel] [PATCH] 817 Add option to wait for values

Rob Crittenden rcritten at redhat.com
Tue Jul 19 04:14:35 UTC 2011 

Martin Kosek wrote:
> On Sun, 2011-07-17 at 17:42 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Tue, 2011-07-05 at 13:41 -0400, Rob Crittenden wrote:
>>>>> Rob Crittenden wrote:
>>>>>> Rob Crittenden wrote:
>>>>>>> 389-ds postop plugins, such as the managed entry and memberof plugins,
>>>>>>> add values after the data has been returned to the client. In the case
>>>>>>> of the managed entry plugin this affects the parent entry as well
>>>>>>> (adds
>>>>>>> an objectclass value).
>>>>>>>
>>>>>>> This wreaks havoc on our tests as the values don't match what we
>>>>>>> expect.
>>>>>>>
>>>>>>> The solution is to wait for the postop plugins to finish their work,
>>>>>>> then return. I've added this as an option. The downside is it is going
>>>>>>> to naturally slow things down, so it is off by default.
>>>>>>>
>>>>>>> It is currently only used in the hostgroup plugin.
>>>>>>>
>>>>>>> The option is wait_for_attr. Add this to ~/.ipa/default.conf and
>>>>>>> set it
>>>>>>> to True and all the current tests will pass (assuming you apply
>>>>>>> patches
>>>>>>> 814-816 as well).
>>>>>>>
>>>>>>> So now we won't have any excuses for missing test failures in the unit
>>>>>>> tests...
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> Bah, found a small problem. Self-NACK.
>>>>>>
>>>>>> rob
>>>>>
>>>>> Updated patch attached.
>>>>>
>>>>> Note that I don't think there is a way for us to handle things like
>>>>> memberof_indirect. We wouldn't know to wait.
>>>>>
>>>>> rob
>>>>
>>>> Works fine for the hostgroup entry. It's good it can be switched on/off.
>>>>
>>>> But what about other managed entries, like user entry? Would it make
>>>> sense to add a wait here too? Or maybe something systematic to baseldap
>>>> so that we wouldn't have to implement this wait to every managed entry.
>>>>
>>>> Martin
>>>>
>>>
>>> I can certainly add it to users to check for managed groups. Making it
>>> generic would be difficult because some are conditional (such as users).
>>>
>>> rob
>>
>> Added support for managed users as well.
>>
>> rob
>
> Waiting for managed users work too. However, I have just noticed that
> the entire solution works only partially.
>
> It waits for mepOriginEntry objectclass, but it doesn't add the new LDAP
> attributes "mepmanagedentry" and "memberof" to the<command>-add result:
>
> # ipa hostgroup-add hgroup3 --desc=foo --all --raw
> -------------------------
> Added hostgroup "hgroup3"
> -------------------------
>    dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    cn: hgroup3
>    description: foo
>    ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
>    objectclass: ipaobject
>    objectclass: ipahostgroup
>    objectclass: nestedGroup
>    objectclass: groupOfNames
>    objectclass: top
>    objectclass: mepOriginEntry
> # ipa hostgroup-show hgroup3 --all --raw
>    dn: cn=hgroup3,cn=hostgroups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    cn: hgroup3
>    description: foo
>    ipauniqueid: 20d1b8e4-b114-11e0-ab28-00163e0ed706
>    memberof: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
>    mepmanagedentry: cn=hgroup3,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
>    objectclass: ipaobject
>    objectclass: ipahostgroup
>    objectclass: nestedGroup
>    objectclass: groupOfNames
>    objectclass: top
>    objectclass: mepOriginEntry
>
> # ipa user-add --first=Foo --last=Bar fbar2 --all --raw
> ------------------
> Added user "fbar2"
> ------------------
>    dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    uid: fbar2
>    givenname: Foo
>    sn: Bar
>    cn: Foo Bar
>    displayname: Foo Bar
>    initials: FB
>    homedirectory: /home/fbar2
>    gecos: Foo Bar
>    loginshell: /bin/sh
>    krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
>    uidnumber: 524600004
>    gidnumber: 524600004
>    ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
>    krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    objectclass: top
>    objectclass: person
>    objectclass: organizationalperson
>    objectclass: inetorgperson
>    objectclass: inetuser
>    objectclass: posixaccount
>    objectclass: krbprincipalaux
>    objectclass: krbticketpolicyaux
>    objectclass: ipaobject
>    objectclass: mepOriginEntry
> # ipa user-show fbar2 --all --raw
>    dn: uid=fbar2,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    uid: fbar2
>    givenname: Foo
>    sn: Bar
>    cn: Foo Bar
>    displayname: Foo Bar
>    initials: FB
>    homedirectory: /home/fbar2
>    gecos: Foo Bar
>    loginshell: /bin/sh
>    krbprincipalname: fbar2 at IDM.LAB.BOS.REDHAT.COM
>    uidnumber: 524600004
>    gidnumber: 524600004
>    nsaccountlock: False
>    ipauniqueid: b22ab54c-b115-11e0-b354-00163e0ed706
>    krbpwdpolicyreference: cn=global_policy,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    memberof: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
>    mepmanagedentry: cn=fbar2,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com<====
>    objectclass: top
>    objectclass: person
>    objectclass: organizationalperson
>    objectclass: inetorgperson
>    objectclass: inetuser
>    objectclass: posixaccount
>    objectclass: krbprincipalaux
>    objectclass: krbticketpolicyaux
>    objectclass: ipaobject
>    objectclass: mepOriginEntry
>
>
> I think there attributes should be added in post_callback (and to the
> tests).
>
> Martin
>

Updated patch attached. The interesting change here is the 
entry_from_entry() function.

Python calls functions passing by value the actual value passed may be 
an immutable reference. This means we can't simply fetch the new entry 
and replace what we already have, we have to do it value by value. We 
also have to wipe out what is already there first because it is possible 
an attribute has disappeared (I don't think one actually does in 
practice in these two calls but it is cleaner this way).

For kicks you can see this in action with this snippet:

def tryme(x):
     x = 5

y = 9
tryme(y)
print y

y is 9. Fun, isn't it?

rob

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-817-4-wait.patch
Type: text/x-diff
Size: 18266 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110719/a117d038/attachment.bin>

More information about the Freeipa-devel mailing list