[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins

thierry bordaz tbordaz at redhat.com
Fri Aug 29 14:36:24 UTC 2014 

Hello,

    Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0

    The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA
    scope to 'cn=accounts,SUFFIX' .
    This was invalid. If you run recent master instance (with that
    scoping) you may need to reinstall IPA or do the following:

        ldapmodify -h .. -p 389 -D "cn=directory manager" -w xxx
        cn=Posix IDs,cn=Distributed Numeric Assignment
        Plugin,cn=plugins,cn=config
        changetype: modify
        replace: dnaScope
        dnaScope: $SUFFIX

        ipactl restart

    Thanks Sumit for this catch. The new patch revert the change in dna
    update.

    thierry

On 08/28/2014 08:58 PM, Sumit Bose wrote:
> On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote:
>> On 08/28/2014 08:30 PM, Sumit Bose wrote:
>>> On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
>>>> On 08/28/2014 06:51 PM, Sumit Bose wrote:
>>>>> On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
>>>>>> Hello,
>>>>>>
>>>>>>     Following Petr remarks from the previous review, I modified the
>>>>>>     original fix to move it only in '.update' files.
>>>>>>
>>>>>>     Thanks
>>>>>>     thierry
>>>>>>
>>>>>>  From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
>>>>>> From: "Thierry bordaz (tbordaz)" <tbordaz at redhat.com>
>>>>>> Date: Thu, 7 Aug 2014 16:29:02 +0200
>>>>>> Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins
>>>>>>
>>>>>> User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
>>>>>> It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
>>>>>> containers needs to be created.
>>>>>> 		Active: cn=users,cn=accounts,$SUFFIX
>>>>>> 		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
>>>>>> 		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX
>>>>>>
>>>>>> Plugins scopes:
>>>>>> 		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
>>>>>> 			cn=accounts,SUFFIX
>>>>>> 			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
>>>>>> 		DNA:
>>>>>> 			cn=accounts,SUFFIX
>>>>> Hi Thierry,
>>>>>
>>>>> sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
>>>>> plugin. We need to generate a UID for the trusted domain objects as
>>>>> well which are stored in cn=trusts,SUFFIX. The reason is that AD
>>>>> expects to be able to connect with a special trusted domain account. We
>>>>> generate this account on the fly based on the data in the trusted domain
>>>>> object hence we need a UID here.
>>>>>
>>>>> Since it looks like dnaScope is a SINGLE-VALUE attribute I think
>>>>> dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
>>>>> different solution?
>>>>>
>>>>> bye,
>>>>> Sumit
>>>> Hello Sumit,
>>>>
>>>>     Thank you so much for having reviewed this fix and your important
>>>>     feedback !
>>>>
>>>>     Yes I had the same fear to restrict DNA to 'accounts'. I opened
>>>>     https://fedorahosted.org/389/ticket/47828
>>>>     to allow to exclude a part of the DIT (here
>>>>     'cn=provisioning,SUFFIX') from the scope of DNA plugin.
>>>>     Do you think it can address this concern  ?
>>> Yes, in general this would fix the issue. I'm just wondering if it
>>> wouldn't be easier with respect to coding and management to make
>>> dnaScope a multi-value attribute?
>>>
>>> Additionally a fix for IPA master is needed to make trusts work again.
>>> Would it be possible to tweak the filter to skip objects in
>>> cn=provisioning? E.g. do those objects have the ipaObject objectclass?
>> Yes, stage entries have 'objectclass=ipaObject'.
>> Do you suggest to remove this oc from staged entries, so that the filter
>> will not match it ?. I have to check the impact of stage user not being
>> ipaObject.
> no, it was just a suggestion. Maybe we can use entryDN like:
>
> (&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*)))
>
> bye,
> Sumit
>
>> thanks
>> thierry
>>> bye,
>>> Sumit
>>>
>>>>     thanks
>>>>     thierry
>>>>
>>>>>> 		Plugins exclude subtree:
>>>>>> 		IPA UUID, Referential Integrity, memberOf:
>>>>>> 			cn=provisioning,SUFFIX
>>>>>>
>>>>>> Reviewed-By: Petr Viktorin <pviktori at redhat.com>
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3813
>>>>>> ---

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140829/3692ac55/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbordaz-0001-4-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch
Type: text/x-patch
Size: 1415 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140829/3692ac55/attachment.bin>

More information about the Freeipa-devel mailing list