[Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 13 16:01:31 UTC 2016 

On Mon, 13 Jun 2016, thierry bordaz wrote:
>
>
>On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:
>>On Mon, 13 Jun 2016, thierry bordaz wrote:
>>>This is the fix for https://fedorahosted.org/freeipa/ticket/5944
>>
>>>>From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001
>>>From: Thierry Bordaz <tbordaz at redhat.com>
>>>Date: Wed, 8 Jun 2016 14:03:42 +0200
>>>Subject: [PATCH] Make sure ipapwd_extop takes precedence over
>>>passwd_modify_extop
>>>
>>>DS core server provides a default plugin (passwd_modify_extop) to handle
>>>1.3.6.1.4.1.4203.1.11.1 extended op 
>>>(https://www.ietf.org/rfc/rfc3062.txt)
>>>
>>>IPA delivers ipa_pwd_extop plugin that should take precedence over
>>>the default DS plugin (passwd_modify_extop)
>>>---
>>>install/updates/10-ipapwd.update | 9 +++++++++
>>>1 file changed, 9 insertions(+)
>>>create mode 100644 install/updates/10-ipapwd.update
>>>
>>>diff --git a/install/updates/10-ipapwd.update 
>>>b/install/updates/10-ipapwd.update
>>>new file mode 100644
>>>index 0000000..d9bffa2
>>>--- /dev/null
>>>+++ b/install/updates/10-ipapwd.update
>>>@@ -0,0 +1,9 @@
>>>+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>>>+# DS core server provides a default plugin (passwd_modify_extop) 
>>>to handle
>>>+# 1.3.6.1.4.1.4203.1.11.1 extended op 
>>>(https://www.ietf.org/rfc/rfc3062.txt)
>>>+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
>>>+#
>>>+# IPA delivers ipa_pwd_extop plugin to handle that extended op
>>>+# we need to make sure ipa_pwd_extop is called and so to set a lower
>>>+# precedence value
>>>+add:nsslapd-pluginprecedence: 49
>>Here is the problem: slapi-nis is 49 as well and it should be before
>>ipa_pwd_extop.
>>
>>You need to update install/share/schema_compat.uldif and
>>install/updates/10-schema_compat.update to get slapi-nis before
>>ipa_pwd_extop.
>ipapwd_plugin registers extendedop callback but slapi-nis does not. So 
>I do not think they will "fight" for precedence.
>Even if slapi-nis register perextendedop they will be on different 
>lists and it should not create any issue.
>
>Now I understand that slapi-nis must run with a precedence that should 
>be lower than most of the others plugins. Currently it is 49, are you 
>ok with a value like 40 ?
I'm OK with 40, yes. The precedence applies to all callbacks, not just
to preextendedop, so a BIND callback would be affected too.

>>You also need to make sure we depend on the updated 389-ds-base package
>>version.
>
>Good !
>Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
>available, I will resend the review when it will be available.
Yep, thanks.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list