[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Martin Kosek mkosek at redhat.com
Wed Apr 16 13:58:21 UTC 2014

On 04/16/2014 03:52 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
>> On 11.4.2014 13:31, Petr Viktorin wrote:
>>> One of the default_attributes of permission is memberofindirect, a
>>> virtual attribute manufactured by ldap2, which is set when a permission
>>> is part of a role.
>>> When update_entry is called on an entry with memberofindirect, ipaldap
>>> tries to add the attribute to LDAP and fails with an objectclass violation.
>>> Do not ask for memberindirect when retrieving the entry.
>>> CCing Honza since he designs ipaldap. Virtual attributes are often
>>> helpful, and in any case IPA uses them a lot and having to filter them
>>> out every time is error-prone.
>>> Maybe we should add support for them directly in ipaldap -- e.g. an
>>> attribute set by `entry.virtual[attr_name] = [x]` would be visible in
>>> entry[attr_name] but would not be synced back to LDAP?
>> I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff 
>> in the future. Your suggestion works in sort of opposite direction, so I 
>> can't say I like it.
>> Currently we use LDAPEntry in frontend code directly, but I think that's 
>> wrong. There should be a frontend-specific class for this (make 
>> ipalib.frontend.Object instantiable?) and LDAPEntry should be used 
>> (almost) only in backend code.
> +1
> Simo.

We are then stuck with Petr's original patch 518 - ACK from me.


More information about the Freeipa-devel mailing list