[Freeipa-devel] [PATCHES] OTP Patches

Mon Mar 24 13:33:33 UTC 2014

On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote:
> On Fri, 21 Feb 2014, Nathaniel McCallum wrote:
> >On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote:
> >> On Thu, 20 Feb 2014, Nathaniel McCallum wrote:
> >> >> > >>There is an error in libotp's find() function which assumes that
> >> >> > >>get_basedn() always returns non-NULL value. This is not true for at
> >> >> > >>least cn=Directory Manager.
> >> >> > >>
> >> >> > >>Patch attached.
> >> >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket
> >> >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop
> >> >> > >plugins. I'm getting crash in find() in libotp.c for internal search in
> >> >> > >some other conditions but at least user dn now is the correct one.
> >> >> > >
> >> >> > >Stay tuned.
> >> >> > OK, finally I've got it working -- my last patch had error which could
> >> >> > be attributed to the late night time.
> >> >> >
> >> >> > New patch is attached to fix libotp to work properly with empty base dn
> >> >> > (such as cn=Directory Manager).
> >> >> >
> >> >> > Also I'm attaching the patch that sets precedence of schema-compat
> >> >> > plugin to 49 (less than default 50). With this patch and 389-ds with
> >> >> > patch from ticket 47699 compat tree binds work with OTP.
> >> >> >
> >> >> > When updated 389-ds-base will be released, we'll need to add Requires:
> >> >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat
> >> >> > tree binds will not work with OTP but the rest will be working fine.
> >> >> >
> >> >> > Finally, ACK to all OTP patches.
> >> >>
> >> >> ACK to both of these patches.
> >> >
> >> >I've merged the first patch here --
> >> >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html
> >> >
> >> >I just realized the second patch shouldn't be ACK'd until we have a new
> >> >389DS release with the fix. When that happens, reissue this patch with
> >> >an update versioned require.
> >> No, it can be safely merged as 389DS will use default precedence (50) unless
> >> the fix is there. So the worst we get is the same as now -- OTP binds
> >> will not work over compat tree. And when 389DS will be upgraded, they
> >> will start working after 389DS restart.
> >
> >But this patch doesn't actually do anything until we get the new version
> >of 389DS. If we are ever going to add a versioned dependency on the new
> >389DS for this feature, it should go in this patch. Otherwise, it is an
> >ACK from me.
> New 389-DS is in Fedora 20 updates stable and Rawhide already.
> 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in
> Fedora 20 updates testing, providing multiple policy enhancements that
> make possible Apache process to work with kernel-based credentials
> caches.
> 
> Attached patch makes use of the new packages.

ACK