[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users
Alexander Bokovoy
abokovoy at redhat.com
Thu Jul 18 15:45:03 UTC 2013
On Tue, 16 Jul 2013, Jakub Hrozek wrote:
>> >>+ if self.enable_compat:
>> >>+ self.step("Enabling trusted domains support for older clients via Schema Compatibility plugin",
>> >
>> > ^^^^
>> > Nitpick: all the other steps begin with lowercased
>> > letter. Only this one is uppercased, which makes the
>> > tool output looks inconsistent:
>> >[15/21]: adding special DNS service records
>> >[16/21]: Enabling trusted domains support for older clients via Schema Compatibility plugin
>> >[17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
>> Thanks. Lowcased it.
>>
>> Updated patch is attached.
>
>Maybe it would be nice if some native English speaker read the man page
>change as well. To me it sounds like there are some articles missing. But
>the code works correctly and sets up the SSSD compat attributes during
>install when told to.
>
>Ack from me, however.
Thanks.
When this patch will be pushed to master, you will need slapi-nis built
with my patch in order to actually provide older clients with trusted
domains' users.
The patch to slapi-nis uncovers dead-lock issue in slapi-nis because its
operation means SSSD will be contacted as part of serving LDAP query
over compat tree. SSSD then will want to obtain a TGT using
host/ipa.server principal to be able to contact AD DC. Our KDC driver will
modify host entry in the main LDAP tree which will cause post-op
callback triggered in slapi-nis. At this point the callback will
encounter that global slapi-nis write lock is already taken by the
original query and will dead-lock.
However, IPA patch can be applied safely because it only configures
slapi-nis trees to serve trusted domains' users over compat tree and if
there is no code in slapi-nis to do so, no dead-lock will be triggered.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list