[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions
Simo Sorce
simo at redhat.com
Wed Apr 16 13:52:36 UTC 2014
On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
> On 11.4.2014 13:31, Petr Viktorin wrote:
> > One of the default_attributes of permission is memberofindirect, a
> > virtual attribute manufactured by ldap2, which is set when a permission
> > is part of a role.
> > When update_entry is called on an entry with memberofindirect, ipaldap
> > tries to add the attribute to LDAP and fails with an objectclass violation.
> >
> > Do not ask for memberindirect when retrieving the entry.
> >
> >
> >
> > CCing Honza since he designs ipaldap. Virtual attributes are often
> > helpful, and in any case IPA uses them a lot and having to filter them
> > out every time is error-prone.
> > Maybe we should add support for them directly in ipaldap -- e.g. an
> > attribute set by `entry.virtual[attr_name] = [x]` would be visible in
> > entry[attr_name] but would not be synced back to LDAP?
> >
>
> I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff
> in the future. Your suggestion works in sort of opposite direction, so I
> can't say I like it.
>
> Currently we use LDAPEntry in frontend code directly, but I think that's
> wrong. There should be a frontend-specific class for this (make
> ipalib.frontend.Object instantiable?) and LDAPEntry should be used
> (almost) only in backend code.
+1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list