[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

Jan Cholasta jcholast at redhat.com
Thu Jun 11 10:51:46 UTC 2015 

Dne 11.6.2015 v 07:16 Fraser Tweedale napsal(a):
> On Wed, Jun 10, 2015 at 03:50:22PM +0200, Martin Basti wrote:
>> On 10/06/15 13:57, Martin Kosek wrote:
>>> On 06/10/2015 01:50 PM, Jan Cholasta wrote:
>>>> Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
>>>>> On 10/06/15 06:40, Fraser Tweedale wrote:
>>>>>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>>>>>>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>>>>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>>>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>>>>>>> New patches attached.  Comments inline.
>>>>>>>>> Thanks Fraser!
>>>>>>>>>
>>>>>>>>> ...
>>>>>>>>>>> 5)
>>>>>>>>>>> Missing referint plugin configuration for attribute
>>>>>>>>>>> 'ipacaaclmembercertprofile'
>>>>>>>>>>> Please add it into install/updates/25-referint.update (+ other
>>>>>>>>>>> member
>>>>>>>>>>> attributes if missing)
>>>>>>>>>>>
>>>>>>>>>> Added this.  There is a comment in 25-referint.update:
>>>>>>>>>>
>>>>>>>>>>       # pres and eq indexes defined in 20-indices.update must be set
>>>>>>>>>>       # for all the attributes
>>>>>>>>>>
>>>>>>>>>> Can you explain what is required here?  Is it just to add: I see
>>>>>>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>>>>>>> memberService.  Do I need to add to indices.ldif:
>>>>>>>>>>
>>>>>>>>>>       dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>>>>>>>>> database,cn=plugins,cn=config
>>>>>>>>>>       changetype: add
>>>>>>>>>>       cn: memberProfile
>>>>>>>>>>       ObjectClass: top
>>>>>>>>>>       ObjectClass: nsIndex
>>>>>>>>>>       nsSystemIndex: false
>>>>>>>>>>       nsIndexType: eq
>>>>>>>>>>       nsIndexType: pres
>>>>>>>>>>       nsIndexType: sub
>>>>>>>>>>
>>>>>>>>>> , and similarly for memberCa?  Sorry I do not know much about LDAP
>>>>>>>>>> indexing.
>>>>>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>>>>>>>>> an expensive
>>>>>>>>> index to use and I now cannot think of memberProfile search where
>>>>>>>>> you would
>>>>>>>>> need a substring...
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Martin
>>>>>>>> Updated patch attached, which adds the indices.  (Also rebased).
>>>>>>>>
>>>>>>>> There is a commit that seems to indicate that substring index is
>>>>>>>> needed, so I have included substring indices in this patchset.
>>>>>>>> Copied Honza in case he wants to comment.
>>>>>>>>
>>>>>>>>       commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>>>>>>       Author: Jan Cholasta <jcholast at redhat.com>
>>>>>>>>       Date:   Tue Jun 25 13:16:40 2013 +0000
>>>>>>>>
>>>>>>>>           Add missing substring indices for attributes managed by the
>>>>>>>> referint plugin.
>>>>>>>>
>>>>>>>>           The referint plugin does a substring search on these
>>>>>>>> attributes each time an
>>>>>>>>           entry is deleted, which causes a noticable slowdown for
>>>>>>>> large directories if
>>>>>>>>           the attributes are not indexed.
>>>>>>>>
>>>>>>>>           https://fedorahosted.org/freeipa/ticket/3706
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Fraser
>>>>>>> ACK
>>>>>>>
>>>>>>> Please send the upgrade patch ASAP :)
>>>>>>>
>>>>>>> --
>>>>>>> Martin Basti
>>>>>>>
>>>>>> Thank you for the ACK \o/
>>>>>>
>>>>>> Since the patches have not been pushed, here is an updated patchset
>>>>>> which adds the upgrade behaviour.  There are no changes apart from
>>>>>> the additions to ipaserver/install/server/upgrade.py.
>>>>>>
>>>>>> Cheers,
>>>>>> Fraser
>>>>> ACK
>>>> NACK, the new OIDs are not registered.
>>>>
>>>> BTW all new attribute names should have the "ipa" prefix. Also I would prefer
>>>> "CertProfile" instead of just "Profile" in certificate profile related names.
>>>> Please rename the attributes as follows:
>>>>
>>>>      memberCa -> ipaMemberCa
>>>>      memberProfile -> ipaMemberCertProfile
>>>>      caCategory -> ipaCaCategory
>>>>      profileCategory -> ipaCertProfileCategory
>>>>
>>>> Honza
>>>>
>>> +1. I see that other attributes from this feature use the ipa prefix already:
>>>
>>> dn: cn=schema
>>> attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued'
>>> DESC 'Store certificates issued using this profile' EQUALITY booleanMatch
>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
>>> objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top
>>> STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA
>>> v4.2' )
>>>
>>> Those OIDs should be BTW registered as well, if not already
>> OID registered.
>>
> Thanks!
>
>> Patches with updated names attached.
>> Can you Fraser check if I didn't break anything? :)
>>
> Everything LGTM.  Did some simple tessting.  There were conflicts;
> rebased patches attached (no other changes).

Pushed to master: 947af1a037609fa42cbfd794301d5a5c4061c81b

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list