<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">Hello, <blockquote>Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0 The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA scope to 'cn=accounts,SUFFIX' . This was invalid. If you run recent master instance (with that scoping) you may need to reinstall IPA or do the following: <blockquote><tt>ldapmodify -h .. -p 389 -D "cn=directory manager" -w xxx</tt><tt> </tt><tt>cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config</tt><tt> </tt><tt>changetype: modify</tt><tt> </tt><tt>replace: dnaScope</tt><tt> </tt><tt>dnaScope: $SUFFIX</tt><tt> </tt><tt> </tt><tt>ipactl restart</tt> </blockquote> Thanks Sumit for this catch. The new patch revert the change in dna update. thierry </blockquote> On 08/28/2014 08:58 PM, Sumit Bose wrote: </div> <blockquote cite="mid:20140828185800.GI16631@localhost.localdomain" type="cite"> <pre wrap="">On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: </pre> <blockquote type="cite"> <pre wrap="">On 08/28/2014 08:30 PM, Sumit Bose wrote: </pre> <blockquote type="cite"> <pre wrap="">On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: </pre> <blockquote type="cite"> <pre wrap="">On 08/28/2014 06:51 PM, Sumit Bose wrote: </pre> <blockquote type="cite"> <pre wrap="">On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry >From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" <a class="moz-txt-link-rfc2396E" href="mailto:tbordaz@redhat.com"><tbordaz@redhat.com></a> Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/User_Life-Cycle_Management">http://www.freeipa.org/page/V4/User_Life-Cycle_Management</a> It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX </pre> </blockquote> <pre wrap="">Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit </pre> </blockquote> <pre wrap="">Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened <a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/47828">https://fedorahosted.org/389/ticket/47828</a> to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? </pre> </blockquote> <pre wrap="">Yes, in general this would fix the issue. I'm just wondering if it wouldn't be easier with respect to coding and management to make dnaScope a multi-value attribute? Additionally a fix for IPA master is needed to make trusts work again. Would it be possible to tweak the filter to skip objects in cn=provisioning? E.g. do those objects have the ipaObject objectclass? </pre> </blockquote> <pre wrap="">Yes, stage entries have 'objectclass=ipaObject'. Do you suggest to remove this oc from staged entries, so that the filter will not match it ?. I have to check the impact of stage user not being ipaObject. </pre> </blockquote> <pre wrap=""> no, it was just a suggestion. Maybe we can use entryDN like: (&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*))) bye, Sumit </pre> <blockquote type="cite"> <pre wrap=""> thanks thierry </pre> <blockquote type="cite"> <pre wrap=""> bye, Sumit </pre> <blockquote type="cite"> <pre wrap=""> thanks thierry </pre> <blockquote type="cite"> <blockquote type="cite"> <pre wrap=""> Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin <a class="moz-txt-link-rfc2396E" href="mailto:pviktori@redhat.com"><pviktori@redhat.com></a> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3813">https://fedorahosted.org/freeipa/ticket/3813</a> --- </pre> </blockquote> </blockquote> </blockquote> </blockquote> <pre wrap=""> </pre> </blockquote> </blockquote> </body> </html>