[Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin

Nathaniel McCallum npmccallum at redhat.com
Fri Sep 19 20:15:43 UTC 2014 

This new version fixes a small style issue pointed out to me by richm
(thanks!).

On Fri, 2014-09-19 at 13:39 -0400, Nathaniel McCallum wrote:
> The attached version of the patch should solve all of these issues. It
> should also be more performant and use less memory.
> 
> Nathaniel
> 
> 
> On Wed, 2014-09-17 at 15:33 +0200, thierry bordaz wrote:
> > On 09/15/2014 09:05 PM, Nathaniel McCallum wrote:
> > 
> > > This plugin ensures that all counter/watermark operations are atomic
> > > and never decrement. Also, deletion is not permitted.
> > > 
> > > https://fedorahosted.org/freeipa/ticket/4494
> > > 
> > > 
> > > _______________________________________________
> > > Freeipa-devel mailing list
> > > Freeipa-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > Hello Nathaniel,
> > 
> >         More thoughts.. I think being "betxnpreoperation" you are safe
> >         with parallel client ops and the check is atomic. I have few
> >         comments:
> >               * Shouldn't be implemented
> >                 SLAPI_PLUGIN_CLOSE_FN/SLAPI_PLUGIN_START_FN callback,
> >                 even if they are empty.
> >               * In load_counters, in case we have a target entry that
> >                 has not 'objectclass'  'ipatokenHOTP|ipatokenTOTP' and
> >                 the mod operation:
> >                 dn: <entry>
> >                 changetype: modify
> >                 replace: ipatokenHOTPcounter
> >                 ipatokenHOTPcounter: 200
> >                 -
> >                 add: objectclass
> >                 objectclass: ipatokenHOTP
> >                 
> >                 
> >                 I wonder if the operation will not fail although IMHO
> >                 it should succeeds.
> >                 Shouldn't let the schema checking reject the operation
> >                 if the attribute is not granted by the entry
> >                 objectclass
> >               * in load_counters, I am under the impression it may
> >                 return  ipatokenHOTPcounter or ipatokenTOTPwatermark
> >                 (ipatokenHOTPcounter is missing).
> >                 But then how the caller knows that the returned value
> >                 is a counter or a watermark ?
> >               * in ldapmod_is_attrs you may prefer PL_strcasecmp to
> >                 strcasecmp
> >         
> >         About replicated updates, if updates of counters/watermark are
> >         done on several servers. Then a replicated operation may want
> >         to set counters/watermark with a smaller value that the
> >         existing one. In that case, it will return unwilling to
> >         perform. That could break replication.
> >         If the update comes from replication and the value is going
> >         backward, we could make the operation a nop operation (setting
> >         the attribute to its current value).
> >         
> >         
> >         thanks
> >         theirry
> >         
> >         
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0064.2-Create-ipa-otp-decrement-389DS-plugin.patch
Type: text/x-patch
Size: 17895 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140919/e4a0ebff/attachment.bin>

More information about the Freeipa-devel mailing list