[Freeipa-devel] [PATCH] 298 Add safe updates for objectClasses

Martin Kosek mkosek at redhat.com
Wed Sep 5 12:47:00 UTC 2012 

On 09/05/2012 09:22 AM, Martin Kosek wrote:
> On 09/05/2012 03:47 AM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 08/30/2012 02:53 PM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> Current objectclass updates in a form of "replace" update instruction
>>>>>> dependent on exact match of the old object class specification in the
>>>>>> update instruction and the real value in LDAP. However, this
>>>>>> approach is
>>>>>> very error prone as object class definition can easily differ as for
>>>>>> example because of unexpected X-ORIGIN value. Such objectclass update
>>>>>> failures may lead to serious malfunctions later.
>>>>>>
>>>>>> Add new update instruction type "replaceoc" with the following format:
>>>>>> replaceoc:OID:new
>>>>>> This update instruction will always replace an objectclass with
>>>>>> specified OID with the new definition.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2440
>>>>>
>>>>> This works ok. Martin and I had a conversation in IRC about it.
>>>>>
>>>>> This moves from replacing a specific bit of schema with a new one, in
>>>>> all
>>>>> cases. I wonder if we should be more conservative and know what we're
>>>>> replacing
>>>>> in advance.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> You are right, I was too harsh when replacing the objectclasses. This
>>>> would
>>>> cause issues when LDAP update would be run on a replica with lower
>>>> version and
>>>> older objectclass definitions.
>>>>
>>>> I came up with an alternative solution and instead of always replacing
>>>> the
>>>> objectclass I rather reverted to old-OC:new-OC style which should be
>>>> safer.
>>>> Now, the LDAP updater always normalizes an objectclass before
>>>> comparing it
>>>> using python-ldap objectclass model. With this approach, objectclasses
>>>> differing only in X-ORIGIN or white spaces should match and be updated.
>>>>
>>>> Martin
>>>>
>>>
>>> NACK
>>>
>>> I think this:
>>>
>>> +                            for value in replaced_values:
>>> +                                entry_values.remove(old)
>>>
>>> Should be:
>>>
>>> +                                entry_values.remove(value)
> 
> Right. Thanks for the fix. It only worked in my testing because I had no
> objectclass update which would differ in X-ORIGIN or whitespaces or case. I
> tried to mangle an update file and with this fix it did the update even if
> X-ORIGIN and whitespaces differed.
> 
>>>
>>> I'm still doing other testing but this is what I've found so far.
>>>
>>> rob
>>
>> I did some more testing and it looks like this will do the trick.
>>
>> I also found a place where the schema was left as unicode and causing it to
>> blow up inside python-ldap. Here is the diff on my working instance:
>>
>> diff -u  ipaserver/install/ldapupdate.py
>> /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py
>> --- ipaserver/install/ldapupdate.py     2012-09-04 16:59:33.210688723 -0400
>> +++ /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py 2012-09-04
>> 21:47:01.583574375 -0400
>> @@ -643,7 +643,7 @@
>>                                  self.debug('replace: no match for replaced
>> ObjectClass "%s"', old)
>>                                  continue
>>                              for value in replaced_values:
>> -                                entry_values.remove(old)
>> +                                entry_values.remove(value)
>>                          else:
>>                              entry_values.remove(old)
>>                          entry_values.append(new)
>> @@ -772,7 +772,11 @@
>>                  updated = False
>>                  changes = self.conn.generateModList(entry.origDataDict(),
>> entry.toDict())
>>                  if (entry.dn == DN(('cn', 'schema'))):
>> -                    updated = self.is_schema_updated(entry.toDict())
>> +                    d = dict()
>> +                    e = entry.toDict()
>> +                    for k,v in e.items():
>> +                        d[k] = [str(x) for x in v]
>> +                    updated = self.is_schema_updated(d)
>>                  else:
>>                      if len(changes) >= 1:
>>                          updated = True
>>
>> rob
>>
> 
> I did not hit this error during testing, but at least it won't harm. Sending an
> updated patch.
> 

Sending a slightly updated patch which now makes sure that we always pass
objectclass of str (and not unicode) type to ObjectClass model. This should
make it more bullet-proof.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-298-4-add-safe-updates-for-objectclasses.patch
Type: text/x-patch
Size: 6768 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120905/a9cb27a7/attachment.bin>

More information about the Freeipa-devel mailing list