[Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

Mon Jun 20 17:10:19 UTC 2016


On 16.06.2016 22:29, Alexander Bokovoy wrote:
> On Thu, 16 Jun 2016, thierry bordaz wrote:
>> The version DS 1.3.5.6 is now available. Here is the second version 
>> of the patch taking into account lower precedence for Schema Compat
>>
>>
>>
>> On 06/13/2016 06:01 PM, Alexander Bokovoy wrote:
>>> On Mon, 13 Jun 2016, thierry bordaz wrote:
>>>>
>>>>
>>>> On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:
>>>>> On Mon, 13 Jun 2016, thierry bordaz wrote:
>>>>>> This is the fix for https://fedorahosted.org/freeipa/ticket/5944
>>>>>
>>>>>>> From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 
>>>>>>> 00:00:00 2001
>>>>>> From: Thierry Bordaz <tbordaz at redhat.com>
>>>>>> Date: Wed, 8 Jun 2016 14:03:42 +0200
>>>>>> Subject: [PATCH] Make sure ipapwd_extop takes precedence over
>>>>>> passwd_modify_extop
>>>>>>
>>>>>> DS core server provides a default plugin (passwd_modify_extop) to 
>>>>>> handle
>>>>>> 1.3.6.1.4.1.4203.1.11.1 extended op 
>>>>>> (https://www.ietf.org/rfc/rfc3062.txt)
>>>>>>
>>>>>> IPA delivers ipa_pwd_extop plugin that should take precedence over
>>>>>> the default DS plugin (passwd_modify_extop)
>>>>>> ---
>>>>>> install/updates/10-ipapwd.update | 9 +++++++++
>>>>>> 1 file changed, 9 insertions(+)
>>>>>> create mode 100644 install/updates/10-ipapwd.update
>>>>>>
>>>>>> diff --git a/install/updates/10-ipapwd.update 
>>>>>> b/install/updates/10-ipapwd.update
>>>>>> new file mode 100644
>>>>>> index 0000000..d9bffa2
>>>>>> --- /dev/null
>>>>>> +++ b/install/updates/10-ipapwd.update
>>>>>> @@ -0,0 +1,9 @@
>>>>>> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>>>>>> +# DS core server provides a default plugin (passwd_modify_extop) 
>>>>>> to handle
>>>>>> +# 1.3.6.1.4.1.4203.1.11.1 extended op 
>>>>>> (https://www.ietf.org/rfc/rfc3062.txt)
>>>>>> +# the pluginprecedence of the passwd_modify_extop is 50 (default 
>>>>>> value)
>>>>>> +#
>>>>>> +# IPA delivers ipa_pwd_extop plugin to handle that extended op
>>>>>> +# we need to make sure ipa_pwd_extop is called and so to set a 
>>>>>> lower
>>>>>> +# precedence value
>>>>>> +add:nsslapd-pluginprecedence: 49
>>>>> Here is the problem: slapi-nis is 49 as well and it should be before
>>>>> ipa_pwd_extop.
>>>>>
>>>>> You need to update install/share/schema_compat.uldif and
>>>>> install/updates/10-schema_compat.update to get slapi-nis before
>>>>> ipa_pwd_extop.
>>>> ipapwd_plugin registers extendedop callback but slapi-nis does not. 
>>>> So I do not think they will "fight" for precedence.
>>>> Even if slapi-nis register perextendedop they will be on different 
>>>> lists and it should not create any issue.
>>>>
>>>> Now I understand that slapi-nis must run with a precedence that 
>>>> should be lower than most of the others plugins. Currently it is 
>>>> 49, are you ok with a value like 40 ?
>>> I'm OK with 40, yes. The precedence applies to all callbacks, not just
>>> to preextendedop, so a BIND callback would be affected too.
>>>
>>>>> You also need to make sure we depend on the updated 389-ds-base 
>>>>> package
>>>>> version.
>>>>
>>>> Good !
>>>> Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
>>>> available, I will resend the review when it will be available.
>>> Yep, thanks.
>>>
>>
>
>> From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001
>> From: Thierry Bordaz <tbordaz at redhat.com>
>> Date: Thu, 16 Jun 2016 16:28:03 +0200
>> Subject: [PATCH] Make sure ipapwd_extop takes precedence over
>> passwd_modify_extop
>>
>> DS core server provides a default plugin (passwd_modify_extop) to handle
>> 1.3.6.1.4.1.4203.1.11.1 extended op 
>> (https://www.ietf.org/rfc/rfc3062.txt)
>>
>> IPA delivers ipa_pwd_extop plugin that should take precedence over
>> the default DS plugin (passwd_modify_extop)
>>
>> In addition make sure that slapi-nis has a low precedence
>> ---
>> install/share/schema_compat.uldif       | 2 +-
>> install/updates/10-ipapwd.update        | 9 +++++++++
>> install/updates/10-schema_compat.update | 2 +-
>> 3 files changed, 11 insertions(+), 2 deletions(-)
>> create mode 100644 install/updates/10-ipapwd.update
>>
>> diff --git a/install/share/schema_compat.uldif 
>> b/install/share/schema_compat.uldif
>> index a3d412f..66f8ea1 100644
>> --- a/install/share/schema_compat.uldif
>> +++ b/install/share/schema_compat.uldif
>> @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
>> # We need to run schema-compat pre-bind callback before
>> # other IPA pre-bind callbacks to make sure bind DN is
>> # rewritten to the original entry if needed
>> -default:nsslapd-pluginprecedence: 49
>> +default:nsslapd-pluginprecedence: 40
>> default:nsslapd-pluginversion: 0.8
>> default:nsslapd-pluginbetxn: on
>> default:nsslapd-pluginvendor: redhat.com
>> diff --git a/install/updates/10-ipapwd.update 
>> b/install/updates/10-ipapwd.update
>> new file mode 100644
>> index 0000000..d9bffa2
>> --- /dev/null
>> +++ b/install/updates/10-ipapwd.update
>> @@ -0,0 +1,9 @@
>> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>> +# DS core server provides a default plugin (passwd_modify_extop) to 
>> handle
>> +# 1.3.6.1.4.1.4203.1.11.1 extended op 
>> (https://www.ietf.org/rfc/rfc3062.txt)
>> +# the pluginprecedence of the passwd_modify_extop is 50 (default value)
>> +#
>> +# IPA delivers ipa_pwd_extop plugin to handle that extended op
>> +# we need to make sure ipa_pwd_extop is called and so to set a lower
>> +# precedence value
>> +add:nsslapd-pluginprecedence: 49
>> diff --git a/install/updates/10-schema_compat.update 
>> b/install/updates/10-schema_compat.update
>> index 2d257a3..e4c257d 100644
>> --- a/install/updates/10-schema_compat.update
>> +++ b/install/updates/10-schema_compat.update
>> @@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config
>> # We need to run schema-compat pre-bind callback before
>> # other IPA pre-bind callbacks to make sure bind DN is
>> # rewritten to the original entry if needed
>> -add:nsslapd-pluginprecedence: 49
>> +add:nsslapd-pluginprecedence: 40
>>
>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> add:schema-compat-entry-attribute: 
>> %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
>> -- 
>> 2.5.0
>>
> ACK
>
Pushed to:
master: 8192e2f8c19acbc0c20903b54707cb42aec6e778
ipa-4-3: cabcd81396d4fe4b214b0b830c0beab1350f7a14