On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote: > On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote: > > > On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote: > >> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote: > >> > >>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote: > >>>> Hmmm > >>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries > >>>> create objects in the container: > >>>> cn=Managed Entries,cn=plugins,cn=config > >>>> > >>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, > >>>> and one in the cn=config > >>>> > >>>> How will these be treated by replication and the multi masters? > >>> > >>> Only the common objects in the public suffix are replicated. > >>> I think at some point we discussed that we should use a filter in the > >>> private config entry made so that we could enable/disable the plugin by > >>> simply making the filter result true/false. > >>> Thus not ever touch the entries in cn=config but simply > >>> "enable"/"disable" the functionality by (not)adding the appropriate > >>> attributes to objects so that filters would (not) match. > >>> > >>> Simo. > >> > >> This tool works by toggling the originfilter: objectclass=disabled in > >> order to turn off the plugin. > > > > But this is backwards, because originfilter is defined in the > > configuration entry stored in cn=config > > > > Meaning as soon as you change it one server will behave differently from > > the others until you go and change it on each and every server. > > Finally able to revisit this Patch / Ticket: > (To be used in conjunction with Patch 38) > > 25 Create Tool for Enabling/Disabling Managed Entry > Plugins https://fedorahosted.org/freeipa/ticket/1181 > > Remove legacy ipa-host-net-manage > Add ipa-managed-entries tool > Add man page for ipa-managed-entries tool >
I have found few issues with the patch: 1) I don't think its necessary to change BuildRequires to 389-ds-base-devel >= 1.2.8 2) Invalid comment in get_dirman_password() function. There is no verification of the password. It just prompts it 3) ipa-managed entries man pages: copy & paste error: +Directory Server will need to be restarted after the schema compatibility plugin has been enabled. 4) Invalid help of the program: # ipa-managed-entries --help Usage: ipa-managed-entries [options] <enable|disable> ipa-managed-entries [options] - status action is missing - running program without action is not allowed, i.e. should not be offered 5) I was thinking if there is a better solution to enabling/disabling of the plugin. Likes setting something like "managedEntryEnabled" attribute to on/off as we do with compat plugin. Current concept with disabling the definition by damaging the originFilter and then restoring it from an LDIF seems a bit awkward to me. 6) ipa-managed-entries crashes when managed entry is a wrong file: # ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif Directory Manager password: Traceback (most recent call last): File "/usr/sbin/ipa-managed-entries", line 245, in <module> sys.exit(main()) File "/usr/sbin/ipa-managed-entries", line 141, in main originFilter = entry_attr['originFilter'][0] KeyError: 'originFilter' 7) What if there are more managed entries in the LDIF? This concept would not work correctly then. A behavior I would expect: a) User (optionally) passes a directory with managed entries LDIFs b) ipa-managed-entries analyzes all LDIFs and prints available Managed Entry definitions c) I would choose the one I want to enable/disable via ipa-managed-entries option Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel