[Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

JR Aquino JR.Aquino at citrix.com
Thu Sep 15 00:47:52 UTC 2011 

On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:

> On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote:
>> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:
>> 
>>> On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote:
>>>> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
>>>> 
>>>>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote:
>>>>>> Hmmm
>>>>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries
>>>>>> create objects in the container:
>>>>>> cn=Managed Entries,cn=plugins,cn=config
>>>>>> 
>>>>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
>>>>>> and one in the cn=config
>>>>>> 
>>>>>> How will these be treated by replication and the multi masters?
>>>>> 
>>>>> Only the common objects in the public suffix are replicated.
>>>>> I think at some point we discussed that we should use a filter in the
>>>>> private config entry made so that we could enable/disable the plugin by
>>>>> simply making the filter result true/false.
>>>>> Thus not ever touch the entries in cn=config but simply
>>>>> "enable"/"disable" the functionality by (not)adding the appropriate
>>>>> attributes to objects so that filters would (not) match.
>>>>> 
>>>>> Simo.
>>>> 
>>>> This tool works by toggling the originfilter: objectclass=disabled in order to turn off the plugin.
>>> 
>>> But this is backwards, because originfilter is defined in the
>>> configuration entry stored in cn=config
>>> 
>>> Meaning as soon as you change it one server will behave differently from
>>> the others until you go and change it on each and every server.
>> 
>> Finally able to revisit this Patch / Ticket:
>> (To be used in conjunction with Patch 38)
>> 
>> 25 Create Tool for Enabling/Disabling Managed Entry
>> Plugins https://fedorahosted.org/freeipa/ticket/1181
>> 
>> Remove legacy ipa-host-net-manage
>> Add ipa-managed-entries tool
>> Add man page for ipa-managed-entries tool
>> 
> 
> I have found few issues with the patch:
> 
> 1) I don't think its necessary to change BuildRequires to
> 389-ds-base-devel >= 1.2.8

This is no longer necessary and has been removed.

> 
> 2) Invalid comment in get_dirman_password() function. There is no
> verification of the password. It just prompts it

This has been corrected

> 
> 3) ipa-managed entries man pages: copy & paste error:
> +Directory Server will need to be restarted after the schema
> compatibility plugin has been enabled.

Copy / Paste Typo corrected
> 
> 4) Invalid help of the program:
> # ipa-managed-entries --help
> Usage: ipa-managed-entries [options] <enable|disable>
>       ipa-managed-entries [options]
> 
> - status action is missing
> - running program without action is not allowed, i.e. should not be
> offered

Corrected help entries

> 
> 5) I was thinking if there is a better solution to enabling/disabling of
> the plugin. Likes setting something like "managedEntryEnabled" attribute
> to on/off as we do with compat plugin. Current concept with disabling
> the definition by damaging the originFilter and then restoring it from
> an LDIF seems a bit awkward to me.

This has been completely changed:
Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries.
> 
> 6) ipa-managed-entries crashes when managed entry is a wrong file:
> 
> # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif 
> Directory Manager password: 
> 
> Traceback (most recent call last):
>  File "/usr/sbin/ipa-managed-entries", line 245, in <module>
>    sys.exit(main())
>  File "/usr/sbin/ipa-managed-entries", line 141, in main
>    originFilter = entry_attr['originFilter'][0]
> KeyError: 'originFilter'

This is no longer an issue now that it is no longer using the ldif files.

> 7) What if there are more managed entries in the LDIF? This concept
> would not work correctly then. A behavior I would expect:
> a) User (optionally) passes a directory with managed entries LDIFs
> b) ipa-managed-entries analyzes all LDIFs and prints available Managed
> Entry definitions
> c) I would choose the one I want to enable/disable via
> ipa-managed-entries option

Also no longer an issue.

> Martin
> 

Corrected Patch Attached:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch
Type: application/octet-stream
Size: 24589 bytes
Desc: freeipa-jraquino-0025-Create-Tool-for-Enabling-Disabling-Managed-Entries.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110915/10445ee4/attachment.obj>

More information about the Freeipa-devel mailing list