On Thu, 2011-04-21 at 15:30 -0400, Dmitri Pal wrote:
> On 04/21/2011 03:17 PM, JR Aquino wrote: 
> > This patch address ticket:
> > * https://fedorahosted.org/freeipa/ticket/1181
> > 
> > This patch provides:
> > * ipa-managed-entries tool which can enable/disable any of the managed 
> > entry plugins without the need of separate tools.
> >     -When run without any arguments, the tool will display a list of 
> > available plugins detected inside of /usr/share/ipa (this directory can be 
> > overridden with the --dir flag)
> > * Man Page documenting the tool usage.
> > * The removal of install/tools/ipa-host-net-manage and 
> > install/tools/man/ipa-host-net-manage.1
> > * Modification to ldap2.py: Added method for verifying upg is disabled by 
> > objectfilter: objectclass=disabled.
> >     The current code assumes that the user private group managed plugin is 
> > disabled, if the managed plugin entry is not present. 
> >     Due to bug https://bugzilla.redhat.com/show_bug.cgi?id=660399, the 
> > running system will prohibit you from removing a Managed Entry plugin.
> > 
> > NOTE: 
> >     As I was writing this tool, I noticed that in addition to Managed Entry 
> > tools, we also seem to have Schema Compatibility management tools.
> >     I had considered rolling support for those plugins as well, but after 
> > further inspection, it appears that there is hierarchical way to determine 
> > our current 'Compatibility Plugins' via looking at the .uldif files.
> >     The method employed by the managed entry tool checks to see if the 
> > .ldif file contains a modification which adds an object to the container: 
> > cn=Managed Entries,cn=plugins,cn=config.
> >     If there is interest in it, we could consolidate ipa-compat-manage and 
> > ipa-nis-manage by deciding on a default Container for Compat plugins to be 
> > located in such as: "cn=Schema Compatibility,cn=plugins,cn=config"
> >     This would potentially give us 1 tool: ipa-plugin-manage that could 
> > handle the enabling / disabling of Compat and Managed Entry Plugins...
> > 
> Please log an enhancement ticket. I think it will be deferred but
> having it in the backlog would be good.

Please note that the schema compatibility plugin enabling/disabling
should behave differently from the managed entries emabling/disabling.

The schema compat plugins configurations are per server, so that you can
decide which servers show it and which one doesn't (you may have many
masters and only a few allocated to serve legacy machines that need the
compat tree). This also means that you have to go to each server to
enable/disable the compat trees. This should be made abundantly clear in
the documentation of the respective tools.

The managed entries stuff instead should be global, and shouldn't touch
entries under cn=config (as they are local). If it does please let me


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to