[Freeipa-devel] [PATCHES] 0016-17 Fixes for{add, set, del}attr with managed attributes
Rob Crittenden
rcritten at redhat.com
Fri Mar 16 13:07:37 UTC 2012
Jan Cholasta wrote:
> On 29.2.2012 15:50, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 02/27/2012 11:03 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> Patch 16 defers validation & conversion until after
>>>>> {add,del,set}attr is
>>>>> processed, so that we don't search for an integer in a list of strings
>>>>> (this caused ticket #2405), and so that the end result of these
>>>>> operations is validated (#2407).
>>>>>
>>>>>
>>>>> Patch 17 makes these options honor params marked no_create and
>>>>> no_update.
>>>>>
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2405
>>>>> https://fedorahosted.org/freeipa/ticket/2407
>>>>> https://fedorahosted.org/freeipa/ticket/2408
>>>>
>>>> NACK on Patch 17 which breaks patch 16.
>>>
>>> How is patch 16 broken? It works for me.
>>
>> My point is they rely on one another, IMHO, so without 17 the reported
>> problem still exists.
>>
>>>
>>>> *attr is specifically made to be powerful. We don't want to arbitrarily
>>>> block updating certain values.
>>>
>>> Noted
>>>
>>>> Not having patch 17 means that the problem reported in 2408 still
>>>> occurs. It should probably check both the schema and the param to
>>>> determine if something can have multiple values and reject that way.
>>>
>>> I see the problem now: the certificate subject base is defined as a
>>> multi-value attribute in the LDAP schema. If it's changed to
>>> single-value the existing validation should catch it.
>>>
>>> Also, most of the config attributes should probably be required in the
>>> schema. Am I right?
>>>
>>> I'm a newbie here; what do I need to do when changing the schema? Is
>>> there a patch that does something similar I could use as an example?
>>>
>>
>> The framework should be able to impose its own single-value will as
>> well. If a Param is designated as single-value the *attr should honor it.
>
> Is that so? Isn't *attr supposed to allow the user to modify attributes
> at LDAP level, i.e. skip the usual framework constraints?
If we make rules around an attribute they should be honored. If we have
not then all bets are off.
*attr was never really made to manage those attributes that IPA knows
about, despite most of the testing being around that. It was to provide
a way to manage things we don't support yet.
rob
More information about the Freeipa-devel
mailing list