[Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 9 11:27:20 UTC 2014
On Thu, 09 Oct 2014, Martin Kosek wrote:
>On 10/09/2014 01:02 PM, Alexander Bokovoy wrote:
>> On Thu, 09 Oct 2014, Alexander Bokovoy wrote:
>>> On Thu, 09 Oct 2014, Martin Kosek wrote:
>>>> On 10/09/2014 09:33 AM, Ludwig Krispenz wrote:
>>>>> all the issues I found are fixed, for me it's ACK
>>>>>
>>>>> On 10/08/2014 07:50 PM, Alexander Bokovoy wrote:
>>>>>> On Tue, 07 Oct 2014, Ludwig Krispenz wrote:
>>>>>>> Hi Alex,
>>>>>>>
>>>>>>> I have a question regarding cbdata.target. It is/was a reference to the
>>>>>>> pblock used to generate a new dn, but now in
>>>>>>> idview_replace_target_dn(&cbdata.target,...) it can be newly allocated and
>>>>>>> should be freed, so I think there should be a return code indicating if it
>>>>>>> was allocated or not.
>>>>>> Yes, good catch.
>>>>>>
>>>>>> I've fixed this and other issues raised in the review.
>>>>>>
>>>>>> I also fixed an issue with an initial lookup by an override. If someone
>>>>>> does a search by an override, we would replace uid|cn=<value> by
>>>>>> uid=<ipaOriginalUid value> if it exists and by <ipaAnchorUUID value>
>>>>>> otherwise -- for groups we don't have ipaOriginalUid as they don't have
>>>>>> uids. Now, the filter would look like (ipaAnchorUUID=:SID:S-...) and if
>>>>>> there is no entry in the map cache, the search will return nothing, the
>>>>>> entry will be staged for lookup through SSSD.
>>>>>>
>>>>>> In the original version lookup in SSSD didn't take ipaAnchorUUID into
>>>>>> account, so the entry would not be found at all. I did add a call to
>>>>>> do sid2name first and then use the name to perform actual SSSD lookup.
>>>>>>
>>>>>> Works nicely now.
>>>>>>
>>>>>> New patch for slapi-nis is attached.
>>>>
>>>> Great! What is the next step? If Nalin (CCed) is OK with the slapi-nis changes
>>>> as well, it would be great to have that pushed there.
>>>>
>>>> Alexander, do you plan to do any other changes in slapi-nis in scope of FreeIPA
>>>> 4.1? When the changes are ready, it would be nice to get slapi-nis released so
>>>> that we can bump FreeIPA slapi-nis requires.
>>> No more changes are planned right now. If Nalin would grant me write
>>> access to slapi-nis.git on fedorahosted.org, I can handle release in Fedora
>>> already.
>> Never say never. The moment I've sent this email, I've realized I need
>> to fix https://bugzilla.redhat.com/show_bug.cgi?id=1130131
>>
>> The patch is sent in a separate email.
>
>Seen that, thanks! BTW what about
>
>#4435 Trusted AD users are not resovable in netgroups
>#4403 [RFE] compat tree: show AD members of IPA groups
>
>do you see this also as something that would fit in slapi-nis in 4.1?
I don't think I'll be able to fix them before 4.1. Netgroups support
requires to create additional configuration and in theory could be
simple but needs a lot of care (escaping of embedded string delimiters).
Additionally, netgroups will not yet work with views properly, this is
something that requires more time.
AD members of IPA groups needs more work too as we have no means yet to
pick up and resolve ipaExternalMember in slapi-nis.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list