[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

Martin Kosek mkosek at redhat.com
Mon Sep 1 06:31:10 UTC 2014 

Thanks. ACK, pushed to master.

Martin

On 08/29/2014 04:36 PM, thierry bordaz wrote:
> Hello,
> 
>    Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0
> 
>    The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA
>    scope to 'cn=accounts,SUFFIX' .
>    This was invalid. If you run recent master instance (with that
>    scoping) you may need to reinstall IPA or do the following:
> 
>        ldapmodify -h .. -p 389 -D "cn=directory manager" -w xxx
>        cn=Posix IDs,cn=Distributed Numeric Assignment
>        Plugin,cn=plugins,cn=config
>        changetype: modify
>        replace: dnaScope
>        dnaScope: $SUFFIX
> 
>        ipactl restart
> 
>    Thanks Sumit for this catch. The new patch revert the change in dna
>    update.
> 
>    thierry
> 
> On 08/28/2014 08:58 PM, Sumit Bose wrote:
>> On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote:
>>> On 08/28/2014 08:30 PM, Sumit Bose wrote:
>>>> On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
>>>>> On 08/28/2014 06:51 PM, Sumit Bose wrote:
>>>>>> On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>>     Following Petr remarks from the previous review, I modified the
>>>>>>>     original fix to move it only in '.update' files.
>>>>>>>
>>>>>>>     Thanks
>>>>>>>     thierry
>>>>>>>
>>>>>>>  From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
>>>>>>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>>>>>>> Date: Thu, 7 Aug 2014 16:29:02 +0200
>>>>>>> Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins
>>>>>>>
>>>>>>> User Life Cycle is designed
>>>>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management
>>>>>>> It manages 3 containers (Staging, Active, Delete). At install/upgrade
>>>>>>> Delete and Staging
>>>>>>> containers needs to be created.
>>>>>>>         Active: cn=users,cn=accounts,$SUFFIX
>>>>>>>         Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>>>>>>>         Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
>>>>>>>
>>>>>>> Plugins scopes:
>>>>>>>         krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
>>>>>>>             cn=accounts,SUFFIX
>>>>>>>             cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
>>>>>>>         DNA:
>>>>>>>             cn=accounts,SUFFIX
>>>>>> Hi Thierry,
>>>>>>
>>>>>> sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
>>>>>> plugin. We need to generate a UID for the trusted domain objects as
>>>>>> well which are stored in cn=trusts,SUFFIX. The reason is that AD
>>>>>> expects to be able to connect with a special trusted domain account. We
>>>>>> generate this account on the fly based on the data in the trusted domain
>>>>>> object hence we need a UID here.
>>>>>>
>>>>>> Since it looks like dnaScope is a SINGLE-VALUE attribute I think
>>>>>> dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
>>>>>> different solution?
>>>>>>
>>>>>> bye,
>>>>>> Sumit
>>>>> Hello Sumit,
>>>>>
>>>>>     Thank you so much for having reviewed this fix and your important
>>>>>     feedback !
>>>>>
>>>>>     Yes I had the same fear to restrict DNA to 'accounts'. I opened
>>>>>     https://fedorahosted.org/389/ticket/47828
>>>>>     to allow to exclude a part of the DIT (here
>>>>>     'cn=provisioning,SUFFIX') from the scope of DNA plugin.
>>>>>     Do you think it can address this concern  ?
>>>> Yes, in general this would fix the issue. I'm just wondering if it
>>>> wouldn't be easier with respect to coding and management to make
>>>> dnaScope a multi-value attribute?
>>>>
>>>> Additionally a fix for IPA master is needed to make trusts work again.
>>>> Would it be possible to tweak the filter to skip objects in
>>>> cn=provisioning? E.g. do those objects have the ipaObject objectclass?
>>> Yes, stage entries have 'objectclass=ipaObject'.
>>> Do you suggest to remove this oc from staged entries, so that the filter
>>> will not match it ?. I have to check the impact of stage user not being
>>> ipaObject.
>> no, it was just a suggestion. Maybe we can use entryDN like:
>>
>> (&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*)))
>>
>>
>> bye,
>> Sumit
>>
>>> thanks
>>> thierry
>>>> bye,
>>>> Sumit
>>>>
>>>>>     thanks
>>>>>     thierry
>>>>>
>>>>>>>         Plugins exclude subtree:
>>>>>>>         IPA UUID, Referential Integrity, memberOf:
>>>>>>>             cn=provisioning,SUFFIX
>>>>>>>
>>>>>>> Reviewed-By: Petr Viktorin <pviktori at redhat.com>
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3813
>>>>>>> ---
> 
> 
> 
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

More information about the Freeipa-devel mailing list