[Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree

Alexander Bokovoy abokovoy at redhat.com
Mon Oct 6 14:44:13 UTC 2014 

On Mon, 06 Oct 2014, Ludwig Krispenz wrote:
>Hi Alex,
>
>one quick comment:
>I'm afraid the only case where slapi_search_internal_pb() returns -1 
>is if you don't provide a pblock. In all other cases it returns 0 and 
>you have to check:
>slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
Uhm, there are few more cases:

- when filter string is NULL;
- when scope is wrong
- when building a filter struct failed due to memory or syntax error

If return from slapi_search_internal_pb() is 0, we are at least got to
op_shared_search() so we are dealing with the consequence of actually
running the search. I'll add one more check for the result (I had it in
one of original versions before simplification), thanks.

>
>Ludwig
>
>Ludwig
>On 10/01/2014 06:16 PM, Alexander Bokovoy wrote:
>>Hi!
>>
>>Attached are patches to add support of FreeIPA ID views to Schema
>>compatibility plugin (slapi-nis). There are two patches for FreeIPA and
>>a separate patch for slapi-nis. Patches can be applied independently; if
>>old slapi-nis is installed, it will simply work with new configuration
>>but do nothing with respect to answering to requests using host-specific
>>ID views.
>>
>>I included documentation on how slapi-nis ID views feature supposed to
>>work, available in slapi-nis/doc/ipa/ipa-sch.txt. Any comments and fixes
>>are welcome. There are no additional tests in slapi-nis to cover compat
>>trees, we have multiple tests in FreeIPA for this purpose, will be run
>>as part of FreeIPA CI effort.
>>
>>FreeIPA patches add ACIs for accessing ID view-applied entries over
>>compat tree. They also include additional configuration; this
>>configuration is needed to properly resolve ID view overrides when
>>creating compat entries.
>>
>>A second FreeIPA patch adds support to override login shell. This part
>>was missing from the original patchset by Tomas.
>>
>>For trusted AD users one needs patches to SSSD 1.12.2, made by Sumit
>>Bose. There is also a regression (fixed by Sumit as well) that prevents
>>authentication of AD users over PAM which affects authentication over
>>compat tree. With the patch from Sumit authentication works again, both
>>with ID view and without it.
>>
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>

>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list