[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Petr Viktorin pviktori at redhat.com
Wed Apr 16 10:29:38 UTC 2014

On 04/16/2014 10:35 AM, Jan Cholasta wrote:
> On 11.4.2014 13:31, Petr Viktorin wrote:
>> One of the default_attributes of permission is memberofindirect, a
>> virtual attribute manufactured by ldap2, which is set when a permission
>> is part of a role.
>> When update_entry is called on an entry with memberofindirect, ipaldap
>> tries to add the attribute to LDAP and fails with an objectclass
>> violation.
>> Do not ask for memberindirect when retrieving the entry.
>> CCing Honza since he designs ipaldap. Virtual attributes are often
>> helpful, and in any case IPA uses them a lot and having to filter them
>> out every time is error-prone.
>> Maybe we should add support for them directly in ipaldap -- e.g. an
>> attribute set by `entry.virtual[attr_name] = [x]` would be visible in
>> entry[attr_name] but would not be synced back to LDAP?
> I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff
> in the future. Your suggestion works in sort of opposite direction, so I
> can't say I like it.
> Currently we use LDAPEntry in frontend code directly, but I think that's
> wrong. There should be a frontend-specific class for this (make
> ipalib.frontend.Object instantiable?) and LDAPEntry should be used
> (almost) only in backend code.

Right, that's the way to go long-term. Virtual attributes could be a 
stop-gap solution before we get there, since to remove this from ldap2 
we'd need to change all the plugins that use it.

Thinking about it more, it probably would be too much work for a workaround.


More information about the Freeipa-devel mailing list