[Freeipa-devel] [PATCH] 20 Fix empty external member processing
Martin Kosek
mkosek at redhat.com
Tue Apr 3 16:57:27 UTC 2012
On Tue, 2012-04-03 at 15:22 +0200, Ondrej Hamada wrote:
> On 04/03/2012 12:22 PM, Ondrej Hamada wrote:
> > https://fedorahosted.org/freeipa/ticket/2447
> >
> > Validation of external member was failing for empty strings because
> > of
> > wrong condition.
> >
> >
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> Used clearer solution. Thanks to Rob for advice.
ACK for this patch fixing empty --hosts, --users, etc. options.
We just need to triage the second issue found during testing - an
ability to set invalid external* attribute value with --setattr or
--addattr options.
I see 2 ways to fix that:
1) Ugly fix: Call a similar precallback in all affected *-mod commands
where --addattr or --setattr could be used (netgroup-mod, sudorule-mod,
etc.) which would specifically validate external* attribute values.
2) Nice fix:
- create a param for external hosts, users to the respective
LDAPOobjects - netgroup, sudorule, etc. and implement proper validators
for them. These params would not be visible for users or cloned for
Commands. Most code from Ondra's original patch 16 could be re-used
- update Ondra's precallback to use these params for validation
- update --setattr and --addattr param processing to consider also
these params that exist only in LDAPObject and not in Command
I think it would be OK to just create a ticket for the second issue and
close ticket #2447 with Ondra's patch 20-2 as is.
The new ticket could be targeted for next release as there are more
changes needed, including fixes in --setattr and --addattr processing. I
don't think this issue has a high impact, setting external* attribute
values via --setattr is not really a standard procedure.
Martin
More information about the Freeipa-devel
mailing list