[Freeipa-devel] DN patch and documentation
John Dennis
jdennis at redhat.com
Thu Aug 9 19:31:13 UTC 2012
On 08/09/2012 02:08 PM, Rob Crittenden wrote:
> I've been going through the diffs and have some questions in ldap2.py,
> these are primarily pedantic:
Some of your questions can be answered by:
http://jdennis.fedorapeople.org/dn_summary.html
>
> What is the significance of L here:
>
> '2.16.840.1.113730.3.8.L.8' : DN, # ipaTemplateRef
These came from:
install/share/60policyv2.ldif
I didn't notice the .L in the OID which isn't legal (correct?). So beats
me, I can't explain why the OID is specified that way.
>
> There are quite a few assert isinstance(dn, DN). I assume this is mainly
> meant for developers, we aren't expecting to handle that gracefully at
> runtime?
Correct. They are there to prevent future use of dn strings by
developers whose habits die hard. The goal is 100% DN usage 100% of the
time.
If we allow strings some of the time we're on a slippery slope. Think of
it as type enforcement meant to protect ourselves.
The assertions also proved valuable in finding a number of places where
functions failed to return values or correct values. This showed up a
lot in the pre and post callbacks whose signature specifies a return
value but the developer forgot to return a value. Apparently pylint does
not pick these things up.
In production we should disable assertions, we should open a ticket to
disable assertions in production.
>
> It seems to me that allowing a DN passed in as a string would be nice in
> some cases. Calling bind, for example, looks very awkward and isn't as
> readable as cn=directory manager, IMHO. What is the downside of having a
> converter for these?
See the above documentation for the rationale. In particular the section
called "Why did I use tuples instead of strings when initializing DN's?"
> search_ext() has an extra embedded line which makes the function a bit
> confusing to read.
O.K. you lost me on that one :-)
> Do we need to keep _debug_log_ldap?
I don't think it hurts. I found it very useful to see the actual LDAP
data when debugging.
> In search_ext_s() (and a few others) should we just return
> self.convert_result() directly?
Petr asked this question too. I don't have strong feelings either way.
The reason it's stored in another variable is it's easy to add a print
statement or stop in the debugger and examine it when need be. It also
makes it clear it's the IPA formatted results. I don't think there is
much cost to using the variable. I'm not attached to it, it can be changed.
>
> In ldap2::__init__ what would raise an AttributeError and would we want
> to hide that fact with an empty base_dn? Is this attempting to allow the
> use of ldap2.ldap2 in cases where the api is not initialized?
Beats me, that's been in the code for a long time. An empty DN is the
same as an empty string. Maybe we should set it to None instead so we
know base_dn was never initialized properly.
> In ipaserver/ipaldap.py there is a continuance of the assertions, some
> of which don't seem to be needed. For example, in toDict() it shouldn't
> be possible to create an Entry object without having self.dn be a DN
> object, so is this assertion necessary?
Many objects now enforce DN's for their dn attribute. A dn attribute may
only ever be None or an instance of a DN. This is implemented with
dn = ipautil.dn_attribute_property('_dn')
In objects which define their dn property this way an assert
isinstance(self.dn, DN) is not necessary because the dn property
enforces it. So you're correct, those particular asserts could be
removed. They were added before dn type enforcement via object property
was added. I could go through and clean those up, but perhaps we should
open a separate ticket for that.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list