[Freeipa-devel] [PATCH] 272-273 Add service membership to host objects

Rob Crittenden rcritten at redhat.com
Wed Jun 13 13:28:37 UTC 2012 

Martin Kosek wrote:
> On Mon, 2012-06-11 at 14:37 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote:
>>>> On 06/06/2012 08:01 AM, Martin Kosek wrote:
>>>>> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote:
>>>>>> Martin Kosek wrote:
>>>>>>> This set of patches
>>>>>>> 1) Adds a support for uni-directional remote membership to baseldap
>>>>>>> plugin (like service->host membership in service managedby attribute) -
>>>>>>> patch 272
>>>>>>> 2) Adds a support for service->host membership to host plugin using the
>>>>>>> new interface - patch 273
>>>>>>>
>>>>>>> Martin
>>>>>>
>>>>>> Have you tried this in the UI? Are these new relationships already handled?
>>>>>>
>>>>>> rob
>>>>>
>>>>> I just checked that I didn't break anything in the host page. But with
>>>>> this patch, we could add a tab with a list of services for a selected
>>>>> host. I will check with Petr if the information we provide are enough.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Provided information is sufficient for implementation of UI part.
>>>>
>>>
>>> Thanks Petr, I created a ticket for Web UI to implement this new
>>> relationship:
>>> https://fedorahosted.org/freeipa/ticket/2812
>>>
>>> Martin
>>>
>>
>> This is displaying the DN of the service which is case-insensitive, so
>> for example the HTTP principal shows as : http/ipa.example.com.  Perhaps
>> take the RDN and pull that attribute specifically?
>>
>> rob
>
> Yes, this is caused by our (member) DN normalizing which is a more
> general issue than this patch (I would not hold it because of that).
>
> Look for example at roles, we also put all privileges member DNs to
> lower case:
>
> # ipa role-show helpdesk
>    Role name: helpdesk
>    Description: Helpdesk
>> Privileges: modify users and reset passwords, modify group membership
>
> DNs are normalized as well:
> # ipa role-show helpdesk --all --raw
>    dn:
> cn=helpdesk,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>    cn: helpdesk
>    description: Helpdesk
>    memberof: cn=modify users and reset
> passwords,cn=privileges,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> ...
>
> # ipa privilege-show "modify users and reset passwords"
>    Privilege name: Modify Users and Reset passwords<<<  not lowercase
>
>
> Bottomline is that I would not do any extra processing just for
> "remote_attrs" (which would make it inconsistent with the rest). This
> needs to be solved on a more global level.
>
> I see there are at least these two tickets relevant to this issue:
> #2620	renaming of objects is case insensitive
> #2482	Sudo commands are case-insensitive
>
> Martin
>

I think this is a different issue and related to the way we decided to 
structure some dns. IMHO I'd rather not show member service principals 
than show an incorrect one.

rob

More information about the Freeipa-devel mailing list