[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

Wed Jun 10 13:50:22 UTC 2015

On 10/06/15 13:57, Martin Kosek wrote:
> On 06/10/2015 01:50 PM, Jan Cholasta wrote:
>> Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
>>> On 10/06/15 06:40, Fraser Tweedale wrote:
>>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>>>>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>>>>> New patches attached.  Comments inline.
>>>>>>> Thanks Fraser!
>>>>>>>
>>>>>>> ...
>>>>>>>>> 5)
>>>>>>>>> Missing referint plugin configuration for attribute
>>>>>>>>> 'ipacaaclmembercertprofile'
>>>>>>>>> Please add it into install/updates/25-referint.update (+ other
>>>>>>>>> member
>>>>>>>>> attributes if missing)
>>>>>>>>>
>>>>>>>> Added this.  There is a comment in 25-referint.update:
>>>>>>>>
>>>>>>>>       # pres and eq indexes defined in 20-indices.update must be set
>>>>>>>>       # for all the attributes
>>>>>>>>
>>>>>>>> Can you explain what is required here?  Is it just to add: I see
>>>>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>>>>> memberService.  Do I need to add to indices.ldif:
>>>>>>>>
>>>>>>>>       dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>>>>>>> database,cn=plugins,cn=config
>>>>>>>>       changetype: add
>>>>>>>>       cn: memberProfile
>>>>>>>>       ObjectClass: top
>>>>>>>>       ObjectClass: nsIndex
>>>>>>>>       nsSystemIndex: false
>>>>>>>>       nsIndexType: eq
>>>>>>>>       nsIndexType: pres
>>>>>>>>       nsIndexType: sub
>>>>>>>>
>>>>>>>> , and similarly for memberCa?  Sorry I do not know much about LDAP
>>>>>>>> indexing.
>>>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>>>>>>> an expensive
>>>>>>> index to use and I now cannot think of memberProfile search where
>>>>>>> you would
>>>>>>> need a substring...
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Martin
>>>>>> Updated patch attached, which adds the indices.  (Also rebased).
>>>>>>
>>>>>> There is a commit that seems to indicate that substring index is
>>>>>> needed, so I have included substring indices in this patchset.
>>>>>> Copied Honza in case he wants to comment.
>>>>>>
>>>>>>       commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>>>>       Author: Jan Cholasta <jcholast at redhat.com>
>>>>>>       Date:   Tue Jun 25 13:16:40 2013 +0000
>>>>>>
>>>>>>           Add missing substring indices for attributes managed by the
>>>>>> referint plugin.
>>>>>>
>>>>>>           The referint plugin does a substring search on these
>>>>>> attributes each time an
>>>>>>           entry is deleted, which causes a noticable slowdown for
>>>>>> large directories if
>>>>>>           the attributes are not indexed.
>>>>>>
>>>>>>           https://fedorahosted.org/freeipa/ticket/3706
>>>>>>
>>>>>> Cheers,
>>>>>> Fraser
>>>>> ACK
>>>>>
>>>>> Please send the upgrade patch ASAP :)
>>>>>
>>>>> -- 
>>>>> Martin Basti
>>>>>
>>>> Thank you for the ACK \o/
>>>>
>>>> Since the patches have not been pushed, here is an updated patchset
>>>> which adds the upgrade behaviour.  There are no changes apart from
>>>> the additions to ipaserver/install/server/upgrade.py.
>>>>
>>>> Cheers,
>>>> Fraser
>>> ACK
>> NACK, the new OIDs are not registered.
>>
>> BTW all new attribute names should have the "ipa" prefix. Also I would prefer
>> "CertProfile" instead of just "Profile" in certificate profile related names.
>> Please rename the attributes as follows:
>>
>>      memberCa -> ipaMemberCa
>>      memberProfile -> ipaMemberCertProfile
>>      caCategory -> ipaCaCategory
>>      profileCategory -> ipaCertProfileCategory
>>
>> Honza
>>
> +1. I see that other attributes from this feature use the ipa prefix already:
>
> dn: cn=schema
> attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
> DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
> objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
> STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
> v4.2' )
>
> Those OIDs should be BTW registered as well, if not already
OID registered.

Patches with updated names attached.
Can you Fraser check if I didn't break anything? :)

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ftweedal+mbasti-0012.12-Add-CA-ACL-plugin.patch
Type: text/x-patch
Size: 45198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150610/e884577b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ftweedal+mbasti-0013.12-Enforce-CA-ACLs-in-cert-request-command.patch
Type: text/x-patch
Size: 6249 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150610/e884577b/attachment-0001.bin>