[Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

Petr Viktorin pviktori at redhat.com
Thu Apr 17 08:05:00 UTC 2014

On 04/16/2014 03:58 PM, Martin Kosek wrote:
> On 04/16/2014 03:52 PM, Simo Sorce wrote:
>> On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
>>> On 11.4.2014 13:31, Petr Viktorin wrote:
>>>> One of the default_attributes of permission is memberofindirect, a
>>>> virtual attribute manufactured by ldap2, which is set when a permission
>>>> is part of a role.
>>>> When update_entry is called on an entry with memberofindirect, ipaldap
>>>> tries to add the attribute to LDAP and fails with an objectclass violation.
>>>> Do not ask for memberindirect when retrieving the entry.
>>>> CCing Honza since he designs ipaldap. Virtual attributes are often
>>>> helpful, and in any case IPA uses them a lot and having to filter them
>>>> out every time is error-prone.
>>>> Maybe we should add support for them directly in ipaldap -- e.g. an
>>>> attribute set by `entry.virtual[attr_name] = [x]` would be visible in
>>>> entry[attr_name] but would not be synced back to LDAP?
>>> I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff
>>> in the future. Your suggestion works in sort of opposite direction, so I
>>> can't say I like it.
>>> Currently we use LDAPEntry in frontend code directly, but I think that's
>>> wrong. There should be a frontend-specific class for this (make
>>> ipalib.frontend.Object instantiable?) and LDAPEntry should be used
>>> (almost) only in backend code.
>> +1
>> Simo.
> We are then stuck with Petr's original patch 518 - ACK from me.
> Martin

Thanks, pushed to master: 81b0e7466d739a61b16c0e79c660a9f85d073c8c


More information about the Freeipa-devel mailing list