[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Petr Viktorin pviktori at redhat.com
Fri Apr 11 11:31:22 UTC 2014

One of the default_attributes of permission is memberofindirect, a 
virtual attribute manufactured by ldap2, which is set when a permission 
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap 
tries to add the attribute to LDAP and fails with an objectclass violation.

Do not ask for memberindirect when retrieving the entry.

CCing Honza since he designs ipaldap. Virtual attributes are often 
helpful, and in any case IPA uses them a lot and having to filter them 
out every time is error-prone.
Maybe we should add support for them directly in ipaldap -- e.g. an 
attribute set by `entry.virtual[attr_name] = [x]` would be visible in 
entry[attr_name] but would not be synced back to LDAP?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0518-Do-not-ask-for-memberindirect-when-updating-managed-.patch
Type: text/x-patch
Size: 1533 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140411/e7829e1c/attachment.bin>

More information about the Freeipa-devel mailing list