[Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin

thierry bordaz tbordaz at redhat.com
Mon Jun 13 15:36:25 UTC 2016 


On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:
> On Mon, 13 Jun 2016, thierry bordaz wrote:
>> This is the fix for https://fedorahosted.org/freeipa/ticket/5944
>
>>> From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001
>> From: Thierry Bordaz <tbordaz at redhat.com>
>> Date: Wed, 8 Jun 2016 14:03:42 +0200
>> Subject: [PATCH] Make sure ipapwd_extop takes precedence over
>> passwd_modify_extop
>>
>> DS core server provides a default plugin (passwd_modify_extop) to handle
>> 1.3.6.1.4.1.4203.1.11.1 extended op 
>> (https://www.ietf.org/rfc/rfc3062.txt)
>>
>> IPA delivers ipa_pwd_extop plugin that should take precedence over
>> the default DS plugin (passwd_modify_extop)
>> ---
>> install/updates/10-ipapwd.update | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>> create mode 100644 install/updates/10-ipapwd.update
>>
>> diff --git a/install/updates/10-ipapwd.update 
>> b/install/updates/10-ipapwd.update
>> new file mode 100644
>> index 0000000..d9bffa2
>> --- /dev/null
>> +++ b/install/updates/10-ipapwd.update
>> @@ -0,0 +1,9 @@
>> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>> +# DS core server provides a default plugin (passwd_modify_extop) to 
>> handle
>> +# 1.3.6.1.4.1.4203.1.11.1 extended op 
>> (https://www.ietf.org/rfc/rfc3062.txt)
>> +# the pluginprecedence of the passwd_modify_extop is 50 (default value)
>> +#
>> +# IPA delivers ipa_pwd_extop plugin to handle that extended op
>> +# we need to make sure ipa_pwd_extop is called and so to set a lower
>> +# precedence value
>> +add:nsslapd-pluginprecedence: 49
> Here is the problem: slapi-nis is 49 as well and it should be before
> ipa_pwd_extop.
>
> You need to update install/share/schema_compat.uldif and
> install/updates/10-schema_compat.update to get slapi-nis before
> ipa_pwd_extop.
ipapwd_plugin registers extendedop callback but slapi-nis does not. So I 
do not think they will "fight" for precedence.
Even if slapi-nis register perextendedop they will be on different lists 
and it should not create any issue.

Now I understand that slapi-nis must run with a precedence that should 
be lower than most of the others plugins. Currently it is 49, are you ok 
with a value like 40 ?

> You also need to make sure we depend on the updated 389-ds-base package
> version.

Good !
Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
available, I will resend the review when it will be available.

thanks for  the review
thierry

More information about the Freeipa-devel mailing list