[Freeipa-devel] [PATCH 0286] baseldap: Handle missing parent objects properly in *-find
Tomas Babej
tbabej at redhat.com
Wed Nov 19 11:41:39 UTC 2014
On 11/19/2014 12:24 PM, Martin Kosek wrote:
> On 11/19/2014 12:03 PM, Tomas Babej wrote:
>> Hi,
>>
>> When constructing a parent DN in LDAPSearch, we should always
>> check that the parent object exists (hence use get_dn_if_exists),
>> rather than search on unexistant containers (which can happen
>> with get_dn).
>>
>> Replaces get_dn calls with get_dn_if_exists in *-find commands
>> and makes sure proper error message is raised.
>>
>> https://fedorahosted.org/freeipa/ticket/4659
> Doesn't it produce extra LDAP search thus making all our search commands
> slower? Is that what we want?
No it does not make all of our LDAP search slower. It only happens for
the objects that have parent objects, such as idoverrides or dnsrecords.
> Wouldn't it be better to distinguish between LDAP
> search with no results and LDAP search with missing parent DN? The reply looks
> different, at least in CLI:
Up to discussion. We would probably need to introduce a new exception,
like ParentObjectNotFound.
>
> # search result
> search: 4
> result: 0 Success
>
> # search result
> search: 4
> result: 32 No such object
> matchedDN: cn=accounts,dc=mkosek-f20,dc=test
>
> Also, I do not think you can just stop using get_dn(), some commands override
> this call to get more complex searches (like host-find searching for shortname).
Look into the get_dn_if_exists, it just wraps around get_dn, so no issue
here. Any custom behaviour is preserved.
To sum up, I think this is worth changing this behaviour by default,
ignoring a non-matching value of the parent object is not a correct
general approach in my opinion.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
More information about the Freeipa-devel
mailing list