[Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
Martin Kosek
mkosek at redhat.com
Tue Oct 2 13:04:14 UTC 2012
On 10/02/2012 12:19 PM, Petr Viktorin wrote:
> On 10/01/2012 05:28 PM, Martin Kosek wrote:
>>> From IPA 3.0, services have by default ipakrbprincipal objectclass which
>> allows ipakrbprincipalalias attribute used for case-insensitive principal
>> searches. However, as services created in previous version do not have
>> this objectclass (and attribute), they are not listed in service list
>> produced by service-find.
>>
>> Treat the ipakrbprincipal as optional to avoid missing services in
>> service-find command. Add flag to service-mod command which can fill
>> ipakrbprincipalalias attribute when case-insensitive principal searches
>> for a 2.x service are required.
>>
>> https://fedorahosted.org/freeipa/ticket/3106
>
> This works, I'm getting all services now & the tests pass.
>
>>
>> -----
>>
>> I am still pondering about a right way to fill ipakrbprincipalalias used in for
>> IPA 3.0 case-insensitive searches, so far I implemented this command:
>>
>> ipa service-mod PRINCIPAL --update-principal-alias
>>
>> But I am thinking it may be a better approach to generalize it and do something
>> like that:
>>
>> ipa service-mod PRINCIPAL --upgrade/--update
>>
>> This command would do a general update of service entry to an up-to-date 3.0
>> style, in this case it could do 2 things:
>> * fill ipakrbprincipalalias
>> * fill ipakrbauthzdata (based on default value in IPA config).
>
> I don't think you're generalizing enough; `service-mod --upgrade` isn't that
> different from `service-mod --update-principal-alias --update-authzdata`.
> Scripting this to happen for all services could be a nuisance, though. There
> should be a way to upgrade all services at once, and since we already have
> ipa-ldap-updater for it, it should run as part of that.
>
> I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong.
>
I agree. I created an upgrade plugin which should update all services and fill
ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and
it worked fine.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-319-2-fill-ipakrbprincipalalias-on-upgrades.patch
Type: text/x-patch
Size: 7143 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/5427b4a5/attachment.bin>
More information about the Freeipa-devel
mailing list