[Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

Fri Jul 22 14:16:48 UTC 2011

Martin Kosek wrote:
> On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote:
>> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:
>>
>>> On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote:
>>>> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
>>>>
>>>>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote:
>>>>>> Hmmm
>>>>>> Both Private Groups and the Hostgroup ->  Netgroup Managed Entries
>>>>>> create objects in the container:
>>>>>> cn=Managed Entries,cn=plugins,cn=config
>>>>>>
>>>>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
>>>>>> and one in the cn=config
>>>>>>
>>>>>> How will these be treated by replication and the multi masters?
>>>>>
>>>>> Only the common objects in the public suffix are replicated.
>>>>> I think at some point we discussed that we should use a filter in the
>>>>> private config entry made so that we could enable/disable the plugin by
>>>>> simply making the filter result true/false.
>>>>> Thus not ever touch the entries in cn=config but simply
>>>>> "enable"/"disable" the functionality by (not)adding the appropriate
>>>>> attributes to objects so that filters would (not) match.
>>>>>
>>>>> Simo.
>>>>
>>>> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin.
>>>
>>> But this is backwards, because originfilter is defined in the
>>> configuration entry stored in cn=config
>>>
>>> Meaning as soon as you change it one server will behave differently from
>>> the others until you go and change it on each and every server.
>>
>> Finally able to revisit this Patch / Ticket:
>> (To be used in conjunction with Patch 38)
>>
>> 25 Create Tool for Enabling/Disabling Managed Entry
>> Plugins https://fedorahosted.org/freeipa/ticket/1181
>>
>> Remove legacy ipa-host-net-manage
>> Add ipa-managed-entries tool
>> Add man page for ipa-managed-entries tool
>>
>
> I have found few issues with the patch:
>
> 1) I don't think its necessary to change BuildRequires to
> 389-ds-base-devel>= 1.2.8

I think this is because the ability to move the config out of cn=config. 
It should probably be Requires and not BuildRequires though.

>
> 2) Invalid comment in get_dirman_password() function. There is no
> verification of the password. It just prompts it
>
> 3) ipa-managed entries man pages: copy&  paste error:
> +Directory Server will need to be restarted after the schema
> compatibility plugin has been enabled.
>
> 4) Invalid help of the program:
> # ipa-managed-entries --help
> Usage: ipa-managed-entries [options]<enable|disable>
>         ipa-managed-entries [options]
>
> - status action is missing
> - running program without action is not allowed, i.e. should not be
> offered
>
> 5) I was thinking if there is a better solution to enabling/disabling of
> the plugin. Likes setting something like "managedEntryEnabled" attribute
> to on/off as we do with compat plugin. Current concept with disabling
> the definition by damaging the originFilter and then restoring it from
> an LDIF seems a bit awkward to me.

We have to do it this way (or something like it) because cn=config is 
not replicated.

>
> 6) ipa-managed-entries crashes when managed entry is a wrong file:
>
> # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif
> Directory Manager password:
>
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-managed-entries", line 245, in<module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-managed-entries", line 141, in main
>      originFilter = entry_attr['originFilter'][0]
> KeyError: 'originFilter'
>
> 7) What if there are more managed entries in the LDIF? This concept
> would not work correctly then. A behavior I would expect:
> a) User (optionally) passes a directory with managed entries LDIFs
> b) ipa-managed-entries analyzes all LDIFs and prints available Managed
> Entry definitions
> c) I would choose the one I want to enable/disable via
> ipa-managed-entries option
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

rob