[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions
pviktori at redhat.com
Fri Apr 11 11:31:22 UTC 2014
One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap
tries to add the attribute to LDAP and fails with an objectclass violation.
Do not ask for memberindirect when retrieving the entry.
CCing Honza since he designs ipaldap. Virtual attributes are often
helpful, and in any case IPA uses them a lot and having to filter them
out every time is error-prone.
Maybe we should add support for them directly in ipaldap -- e.g. an
attribute set by `entry.virtual[attr_name] = [x]` would be visible in
entry[attr_name] but would not be synced back to LDAP?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1533 bytes
Desc: not available
More information about the Freeipa-devel