[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Jan Cholasta jcholast at redhat.com
Wed Apr 16 08:35:33 UTC 2014

On 11.4.2014 13:31, Petr Viktorin wrote:
> One of the default_attributes of permission is memberofindirect, a
> virtual attribute manufactured by ldap2, which is set when a permission
> is part of a role.
> When update_entry is called on an entry with memberofindirect, ipaldap
> tries to add the attribute to LDAP and fails with an objectclass violation.
> Do not ask for memberindirect when retrieving the entry.
> CCing Honza since he designs ipaldap. Virtual attributes are often
> helpful, and in any case IPA uses them a lot and having to filter them
> out every time is error-prone.
> Maybe we should add support for them directly in ipaldap -- e.g. an
> attribute set by `entry.virtual[attr_name] = [x]` would be visible in
> entry[attr_name] but would not be synced back to LDAP?

I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff 
in the future. Your suggestion works in sort of opposite direction, so I 
can't say I like it.

Currently we use LDAPEntry in frontend code directly, but I think that's 
wrong. There should be a frontend-specific class for this (make 
ipalib.frontend.Object instantiable?) and LDAPEntry should be used 
(almost) only in backend code.


Jan Cholasta

More information about the Freeipa-devel mailing list