[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs
Martin Basti
mbasti at redhat.com
Wed Jun 10 13:50:22 UTC 2015
On 10/06/15 13:57, Martin Kosek wrote:
> On 06/10/2015 01:50 PM, Jan Cholasta wrote:
>> Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
>>> On 10/06/15 06:40, Fraser Tweedale wrote:
>>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>>>>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>>>>> New patches attached. Comments inline.
>>>>>>> Thanks Fraser!
>>>>>>>
>>>>>>> ...
>>>>>>>>> 5)
>>>>>>>>> Missing referint plugin configuration for attribute
>>>>>>>>> 'ipacaaclmembercertprofile'
>>>>>>>>> Please add it into install/updates/25-referint.update (+ other
>>>>>>>>> member
>>>>>>>>> attributes if missing)
>>>>>>>>>
>>>>>>>> Added this. There is a comment in 25-referint.update:
>>>>>>>>
>>>>>>>> # pres and eq indexes defined in 20-indices.update must be set
>>>>>>>> # for all the attributes
>>>>>>>>
>>>>>>>> Can you explain what is required here? Is it just to add: I see
>>>>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>>>>> memberService. Do I need to add to indices.ldif:
>>>>>>>>
>>>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>>>>>>> database,cn=plugins,cn=config
>>>>>>>> changetype: add
>>>>>>>> cn: memberProfile
>>>>>>>> ObjectClass: top
>>>>>>>> ObjectClass: nsIndex
>>>>>>>> nsSystemIndex: false
>>>>>>>> nsIndexType: eq
>>>>>>>> nsIndexType: pres
>>>>>>>> nsIndexType: sub
>>>>>>>>
>>>>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP
>>>>>>>> indexing.
>>>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>>>>>>> an expensive
>>>>>>> index to use and I now cannot think of memberProfile search where
>>>>>>> you would
>>>>>>> need a substring...
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Martin
>>>>>> Updated patch attached, which adds the indices. (Also rebased).
>>>>>>
>>>>>> There is a commit that seems to indicate that substring index is
>>>>>> needed, so I have included substring indices in this patchset.
>>>>>> Copied Honza in case he wants to comment.
>>>>>>
>>>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>>>> Author: Jan Cholasta <jcholast at redhat.com>
>>>>>> Date: Tue Jun 25 13:16:40 2013 +0000
>>>>>>
>>>>>> Add missing substring indices for attributes managed by the
>>>>>> referint plugin.
>>>>>>
>>>>>> The referint plugin does a substring search on these
>>>>>> attributes each time an
>>>>>> entry is deleted, which causes a noticable slowdown for
>>>>>> large directories if
>>>>>> the attributes are not indexed.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3706
>>>>>>
>>>>>> Cheers,
>>>>>> Fraser
>>>>> ACK
>>>>>
>>>>> Please send the upgrade patch ASAP :)
>>>>>
>>>>> --
>>>>> Martin Basti
>>>>>
>>>> Thank you for the ACK \o/
>>>>
>>>> Since the patches have not been pushed, here is an updated patchset
>>>> which adds the upgrade behaviour. There are no changes apart from
>>>> the additions to ipaserver/install/server/upgrade.py.
>>>>
>>>> Cheers,
>>>> Fraser
>>> ACK
>> NACK, the new OIDs are not registered.
>>
>> BTW all new attribute names should have the "ipa" prefix. Also I would prefer
>> "CertProfile" instead of just "Profile" in certificate profile related names.
>> Please rename the attributes as follows:
>>
>> memberCa -> ipaMemberCa
>> memberProfile -> ipaMemberCertProfile
>> caCategory -> ipaCaCategory
>> profileCategory -> ipaCertProfileCategory
>>
>> Honza
>>
> +1. I see that other attributes from this feature use the ipa prefix already:
>
> dn: cn=schema
> attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
> DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
> objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
> STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
> v4.2' )
>
> Those OIDs should be BTW registered as well, if not already
OID registered.
Patches with updated names attached.
Can you Fraser check if I didn't break anything? :)
--
Martin Basti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ftweedal+mbasti-0012.12-Add-CA-ACL-plugin.patch
Type: text/x-patch
Size: 45198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150610/e884577b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ftweedal+mbasti-0013.12-Enforce-CA-ACLs-in-cert-request-command.patch
Type: text/x-patch
Size: 6249 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150610/e884577b/attachment-0001.bin>
More information about the Freeipa-devel
mailing list