[Freeipa-devel] [PATCHES] OTP Patches

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 13 13:12:53 UTC 2014 

On Wed, 12 Feb 2014, Nathaniel McCallum wrote:
>Through the review process, patches are getting shifted around, added,
>deleted, etc. So I'm now just going to be posting all the patches as an
>ordered set. The set attached is ordered according to my preferred merge
>order. It also places easy to review patches up front. I hope this helps
>reviewers. This format will definitely help me manage the patches.
>
>The first three patches should be very easy reviews and can be merged
>independently.
>
>All current patch critiques have, to my knowledge, been addressed in
>this latest series of patches.
I have tested all the patches altogether, including Web UI patches, and
everything works.

I have set up a COPR repo for others to try:
http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/

However, there is one issue which I was not yet able to pin-point in the
SLAPI plugins. During FreeIPA install and later on actual use I see
these in the dirsrv error log:

[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter
[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL
[13/Feb/2014:14:32:52 +0200] - slapi_search_internal_set_pb: NULL parameter
[13/Feb/2014:14:32:52 +0200] - allow_operation: component identity is NULL
[13/Feb/2014:14:33:01 +0200] - SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error code -1
[13/Feb/2014:14:33:11 +0200] - slapi_search_internal_set_pb: NULL parameter
[13/Feb/2014:14:33:11 +0200] - allow_operation: component identity is NULL
[13/Feb/2014:14:45:53 +0200] - slapi_search_internal_set_pb: NULL parameter
[13/Feb/2014:14:45:53 +0200] - allow_operation: component identity is NULL

Additionally, when slapi-nis is enabled, LDAP bind with identity from
compat tree fails for OTP use and succeeds for password authentication.

In compat tree we are doing this trick:
1731             /* Otherwise force rewrite of the SLAPI_BIND_TARGET_SDN                     
1732              * and let other plugins to handle it.
1733              * slapi-nis should have plugin ordering set below standard 50 to succeed */
1734             slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
1735             if (sdn != NULL) {
1736                 slapi_sdn_free(&sdn);
1737             }
1738             sdn = slapi_sdn_new_dn_byref(ndn);
1739             slapi_pblock_set(pb, SLAPI_BIND_TARGET_SDN, (void*)sdn);
1740             ret = 0;
1741         }

I tried to play with plugin precedence and it didn't really help.

There is definitely a bug (or more) in ipa-pwd-extop in handling
authentication cases. 

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list