[Freeipa-devel] [PATCHES] OTP Patches

Nathaniel McCallum npmccallum at redhat.com
Fri Feb 21 14:36:18 UTC 2014 

On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote:
> On Thu, 20 Feb 2014, Nathaniel McCallum wrote:
> >> > >>There is an error in libotp's find() function which assumes that
> >> > >>get_basedn() always returns non-NULL value. This is not true for at
> >> > >>least cn=Directory Manager.
> >> > >>
> >> > >>Patch attached.
> >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket
> >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop
> >> > >plugins. I'm getting crash in find() in libotp.c for internal search in
> >> > >some other conditions but at least user dn now is the correct one.
> >> > >
> >> > >Stay tuned.
> >> > OK, finally I've got it working -- my last patch had error which could
> >> > be attributed to the late night time.
> >> >
> >> > New patch is attached to fix libotp to work properly with empty base dn
> >> > (such as cn=Directory Manager).
> >> >
> >> > Also I'm attaching the patch that sets precedence of schema-compat
> >> > plugin to 49 (less than default 50). With this patch and 389-ds with
> >> > patch from ticket 47699 compat tree binds work with OTP.
> >> >
> >> > When updated 389-ds-base will be released, we'll need to add Requires:
> >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat
> >> > tree binds will not work with OTP but the rest will be working fine.
> >> >
> >> > Finally, ACK to all OTP patches.
> >>
> >> ACK to both of these patches.
> >
> >I've merged the first patch here --
> >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html
> >
> >I just realized the second patch shouldn't be ACK'd until we have a new
> >389DS release with the fix. When that happens, reissue this patch with
> >an update versioned require.
> No, it can be safely merged as 389DS will use default precedence (50) unless
> the fix is there. So the worst we get is the same as now -- OTP binds
> will not work over compat tree. And when 389DS will be upgraded, they
> will start working after 389DS restart.

But this patch doesn't actually do anything until we get the new version
of 389DS. If we are ever going to add a versioned dependency on the new
389DS for this feature, it should go in this patch. Otherwise, it is an
ACK from me.

Nathaniel

More information about the Freeipa-devel mailing list