[Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend.

[Rob Crittenden]

Pavel Zuna wrote:
> Rob Crittenden wrote:
>> Pavel Zuna wrote:
>>> Rob Crittenden wrote:
>>>> Pavel Zuna wrote:
>>>>> By the way, there's a little bug I discovered while testing this 
>>>>> plugin. It affects the old group plugin as well. When trying to 
>>>>> modify a group into a posixGroup, gidNumber doesn't get generated 
>>>>> automatically resulting in a object violation LDAP error. Solution 
>>>>> is to generate it ourselves, but I didn't know how it works, so I 
>>>>> commented that part out for now. (/FIXME in vim)
>>>>>
>>>>
>>>> This should be fixed in FDS 1.2. Can you update and give it a try?
>>>>
>>>> rob
>>> Sure, just updated and you're right, it works.  :)
>>> Updated patch attached.
>>>
>>> Pavel
>>
>> nack. This won't handle someone using group-mod to set a specific 
>> gidnumber. The posixGroup objectclass won't be added.
>>
>> rob
> Fixed patch attached.
> 
> Pavel

The basegroup2 part looks ok but nack on group2.

I think we should stick with using lower-case attribute names as a rule 
of thumb rather than camel case. In any case you test for the string 
posixGroup is in the list of objectclasses, this test needs to be case 
insensitive.

I also wonder if we should be using ldap.get_entry(). Why use this over 
group-show?

I'm not sure if the logic around setting gidnumber is right. If you set 
the gidnumber but aren't using the --posix flag it looks like it will 
always append posixgroup to the list of objectclasses. I'm pretty sure 
the LDAP server is going to reject the update. I suppose making a 
list(set(objectclasses)) would work for de-duping.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090513/6cc69af9/attachment.bin>