[Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

[Martin Kosek]

On 08/07/2013 04:52 PM, Tomas Babej wrote:
> On 08/05/2013 05:59 PM, Martin Kosek wrote:
>> On 07/17/2013 01:47 PM, Tomas Babej wrote:
>>>> I will release version 3.5 before end of this week. I have some small fixes
>>>> ready so it is worth to release it now.
>>>>
>>>> To summarize the discussion - please remove following options from
>>>> configuration file and LDAP schema:
>>>> cache_ttl
>>>> psearch (attribute idnsPersistentSearch in idnsConfigObject)
>>>> zone_refresh (attribute idnsZoneRefresh in idnsConfigObject)
>>>>
>>>> -- 
>>>> Petr^2 Spacek
>>> I have a patch ready, but it can't be tested until 3.5 is out.
>>>
>>> Tomas
>>>
>> I did not test the patch yet, I just want to comment on one thing I just
>> noticed.
>>
>> I is it a good idea to remove idnsZoneRefresh and idnsPersistentSearch
>> attribute types and modify idnsConfigObject objectclass?
>>
>> This will affect not only new instances, but also the old ones (i.e. RHEL-6.4)
>> which may still use these attributes. DNS config object would suddenly become
>> unusable because DS would refuse to operate the entry as it does not follow the
>> schema. The same applies for ACIs.
>>
>> I would personally not do these changes yet, I think just hiding and marking as
>> DeprecatedParam is enough for now. Alexander, what do you think?
>>
>> Martin
> We discussed this with Martin. I agreed it would be less cumbersome to
> keep the attributes in schema for now.
> 
> I retested the patches, updated versions attached.
> 
> Petr, can bind-dyndb-ldap handle idnsConfigObject containing idnsPersistentSearch
> and idnsZoneRefresh attributes?
> 

I still see some schema and aci changes:

--- a/install/updates/10-bind-schema.update
+++ b/install/updates/10-bind-schema.update
@@ -44,7 +44,7 @@ add:attributeTypes:
       SUBSTR caseIgnoreIA5SubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
       X-ORIGIN 'IPA v2' )
-add:attributeTypes:
+remove:attributeTypes:
     ( 2.16.840.1.113730.3.8.5.16
       NAME 'idnsZoneRefresh'
       DESC 'zone refresh interval'
@@ -52,7 +52,7 @@ add:attributeTypes:
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
       SINGLE-VALUE
       X-ORIGIN 'IPA v2' )
-add:attributeTypes:
+remove:attributeTypes:
     ( 2.16.840.1.113730.3.8.5.17
       NAME 'idnsPersistentSearch'
       DESC 'allow persistent searches'
@@ -65,8 +65,7 @@ add:objectClasses:
       NAME 'idnsConfigObject'
       DESC 'DNS global config options'
       STRUCTURAL
-      MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR $$
-        idnsZoneRefresh $$ idnsPersistentSearch
+      MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR
       ) )
 add:objectClasses:
     ( 2.16.840.1.113730.3.8.12.18

AND

-    _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
idnsforwarders || idnsallowsyncptr || idnszonerefresh ||
idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl
"permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write
DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' %
dict(realm=api.env.basedn)]
+    _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
idnsforwarders || idnsallowsyncptr")(target =
"ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS
Configuration";allow (write) groupdn = "ldap:///cn=Write DNS
Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]

Besides these, patch worked fine on both upgrade and new installation. So when
you remove these chunks, it will be ack.

Martin