[Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 21 09:23:03 UTC 2014
On Tue, 21 Oct 2014, thierry bordaz wrote:
>On 10/20/2014 08:25 PM, Alexander Bokovoy wrote:
>>Hi!
>>
>>This patch is for ipa-4-1 branch to enable uniqueness plugin for uid
>>attribute for entries with objectclass posixAccount.
>>
>>We don't have uid uniqueness enforced in FreeIPA < 4.1 yet but for
>>posixAccounts it worked due to our design of a flat tree: as uid
>>attribute is part of the DN, renaming user entries
>>enforces uniqueness as MODRDN will fail if entry with the same uid
>>already exists.
>>
>>However, it is not enough for ID views -- we should be able to allow
>>ID view overrides for the same uid across multiple views and we should
>>be able to protect uid uniqueness more generally too.
>>
>>Implementation is done via update plugin that checks for existing uid
>>uniqueness plugin and if it is missing, it will be added. If plugin
>>exists, its configuration will be updated.
>>
>>I haven't added update specific to git master where staging subtree is
>>added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet
>>have the staging subtree. Currently master has broken setup for uid
>>uniqueness plugin that doesn't actually work anyway so it will be easier
>>to add upgrade over properly configured entry.
>>
>>https://fedorahosted.org/freeipa/ticket/4636
>>
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Hello Alexander,
>
> In case the DS instance has an already enabled uniqueness 'uid' plugin.
> I wonder if there is a risk if the configuration of the plugin
> contains former attributes like nsslapd-pluginarg0.
> My understanding is that ldap.update_entry will keep those former
> attributes and add new config attribute like
> uniqueness-across-all-subtrees.
> If this is the case, DS will incorrectly configure the plugin
> because it does not support mixed configuration style.
> In that case it will consider only former attributes.
Yes, this is why I'm saying the support for it will be added with a
patch to master. We don't have uid uniqueness enabled in anything prior
FreeIPA 4.1 and the code in git master is the only place where wrong
config could come. I want to establish clear base from which the
conversion will come.
>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list