[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs
Martin Kosek
mkosek at redhat.com
Wed Jun 10 11:57:04 UTC 2015
On 06/10/2015 01:50 PM, Jan Cholasta wrote:
> Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
>> On 10/06/15 06:40, Fraser Tweedale wrote:
>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>>>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>>>> New patches attached. Comments inline.
>>>>>> Thanks Fraser!
>>>>>>
>>>>>> ...
>>>>>>>> 5)
>>>>>>>> Missing referint plugin configuration for attribute
>>>>>>>> 'ipacaaclmembercertprofile'
>>>>>>>> Please add it into install/updates/25-referint.update (+ other
>>>>>>>> member
>>>>>>>> attributes if missing)
>>>>>>>>
>>>>>>> Added this. There is a comment in 25-referint.update:
>>>>>>>
>>>>>>> # pres and eq indexes defined in 20-indices.update must be set
>>>>>>> # for all the attributes
>>>>>>>
>>>>>>> Can you explain what is required here? Is it just to add: I see
>>>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>>>> memberService. Do I need to add to indices.ldif:
>>>>>>>
>>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>>>>>> database,cn=plugins,cn=config
>>>>>>> changetype: add
>>>>>>> cn: memberProfile
>>>>>>> ObjectClass: top
>>>>>>> ObjectClass: nsIndex
>>>>>>> nsSystemIndex: false
>>>>>>> nsIndexType: eq
>>>>>>> nsIndexType: pres
>>>>>>> nsIndexType: sub
>>>>>>>
>>>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP
>>>>>>> indexing.
>>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>>>>>> an expensive
>>>>>> index to use and I now cannot think of memberProfile search where
>>>>>> you would
>>>>>> need a substring...
>>>>>>
>>>>>> Thanks,
>>>>>> Martin
>>>>> Updated patch attached, which adds the indices. (Also rebased).
>>>>>
>>>>> There is a commit that seems to indicate that substring index is
>>>>> needed, so I have included substring indices in this patchset.
>>>>> Copied Honza in case he wants to comment.
>>>>>
>>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>>> Author: Jan Cholasta <jcholast at redhat.com>
>>>>> Date: Tue Jun 25 13:16:40 2013 +0000
>>>>>
>>>>> Add missing substring indices for attributes managed by the
>>>>> referint plugin.
>>>>>
>>>>> The referint plugin does a substring search on these
>>>>> attributes each time an
>>>>> entry is deleted, which causes a noticable slowdown for
>>>>> large directories if
>>>>> the attributes are not indexed.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3706
>>>>>
>>>>> Cheers,
>>>>> Fraser
>>>> ACK
>>>>
>>>> Please send the upgrade patch ASAP :)
>>>>
>>>> --
>>>> Martin Basti
>>>>
>>> Thank you for the ACK \o/
>>>
>>> Since the patches have not been pushed, here is an updated patchset
>>> which adds the upgrade behaviour. There are no changes apart from
>>> the additions to ipaserver/install/server/upgrade.py.
>>>
>>> Cheers,
>>> Fraser
>> ACK
>
> NACK, the new OIDs are not registered.
>
> BTW all new attribute names should have the "ipa" prefix. Also I would prefer
> "CertProfile" instead of just "Profile" in certificate profile related names.
> Please rename the attributes as follows:
>
> memberCa -> ipaMemberCa
> memberProfile -> ipaMemberCertProfile
> caCategory -> ipaCaCategory
> profileCategory -> ipaCertProfileCategory
>
> Honza
>
+1. I see that other attributes from this feature use the ipa prefix already:
dn: cn=schema
attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
v4.2' )
Those OIDs should be BTW registered as well, if not already
More information about the Freeipa-devel
mailing list