[Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

Fri Feb 18 15:32:49 UTC 2011

Jan Zeleny wrote:
> JR Aquino<JR.Aquino at citrix.com>  wrote:
>> On 2/17/11 3:23 AM, "Jan Zelený"<jzeleny at redhat.com>  wrote:
>>> JR Aquino<JR.Aquino at citrix.com>  wrote:
>>>> This patch fixes the netgroup plugin's behavior of adding duplicate
>>>>
>>>> entries
>>>>
>>>> when the managed entry plugin creates a netgroup with a mepManagedEntry
>>>> This problem is documented in ticket:
>>>> https://fedorahosted.org/freeipa/ticket/963
>>>>
>>>> As noted by Endi for issue #3 in the History:
>>>> "3. Just out of curiosity, I tried adding a netgroup with the same name
>>>>
>>>> as
>>>>
>>>> the hostgroup. I expected it to conflict with the managed netgroup, but
>>>>
>>>> it
>>>>
>>>> actually worked. Searching the directory will return 2 netgroups with
>>>>
>>>> the
>>>>
>>>> same name:"
>>>>
>>>> Historically the netgroup plugin had inappropriately defined:
>>>> rdn_attribute
>>>>
>>>> = 'ipauniqueid' This caused the ability of duplication with the creation
>>>> of native netgroups using the ipaUniqueId as the DN and as the Managed
>>>> Entry netgroups utilizing the cn as the DN.
>>>>
>>>> Patch includes adjustments for the netgroup plugin and corresponding
>>>> test_netgroup_plugin
>>>>
>>>> Please verify that the items requested in #963 are now complete and
>>>>
>>>> please
>>>>
>>>> confirm that the corresponding tests all pass.
>>>
>>> One test fails:
>>> FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
>>> u'netgroup2'
>> >from netgroup u'netgroup1'
>>>
>>> Command ipa host-show still shows:
>>> Member of netgroups: testhostgroup
>>>
>>> Also a little bit of nitpicking, I think the changed code in chunk 2
>>> would
>>> better look something like this:
>>>
>>> search_kw = {}
>>> search_kw['objectclass'] = ['mepManagedEntry']
>>>
>>> if not options['private']:
>>>     local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
>>>
>>> else:
>>>     local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
>>>
>>> filter = ldap.combine_filters((local_filter, filter),
>>> rules=ldap.MATCH_ALL)
>>>
>>> --
>>> Jan
>>
>> It was determined that the ipauniqueid is required for the DN on these
>> objects.
>> It's an ipaAssociation which uses it as the rdn, if we change the problems
>> cascade
>>
>> This patch has now changed to reflect the optimization in the netgroup
>> search instead.
>> It provides a cleaner method of performing a netgroup search for native
>> netgroups and allows for the --private search to only display the
>> mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
>> would return ALL netgroups.
>>
>> This means there is no need to modify test_netgroup_plugin.
>>
>> Please verify that the optimization / bugfix passes the standard
>> test_netgroup_plugin.
>
> Ack
>
> Jan

pushed to master