On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote:
> On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:
>
> > On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote:
> >> On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:
> >>
> >>> On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote:
> >>>> Hmmm
> >>>> Both Private Groups and the Hostgroup -> Netgroup Managed Entries
> >>>> create objects in the container:
> >>>> cn=Managed Entries,cn=plugins,cn=config
> >>>>
> >>>> Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
> >>>> and one in the cn=config
> >>>>
> >>>> How will these be treated by replication and the multi masters?
> >>>
> >>> Only the common objects in the public suffix are replicated.
> >>> I think at some point we discussed that we should use a filter in the
> >>> private config entry made so that we could enable/disable the plugin by
> >>> simply making the filter result true/false.
> >>> Thus not ever touch the entries in cn=config but simply
> >>> "enable"/"disable" the functionality by (not)adding the appropriate
> >>> attributes to objects so that filters would (not) match.
> >>>
> >>> Simo.
> >>
> >> This tool works by toggling the originfilter: objectclass=disabled in
> >> order to turn off the plugin.
> >
> > But this is backwards, because originfilter is defined in the
> > configuration entry stored in cn=config
> >
> > Meaning as soon as you change it one server will behave differently from
> > the others until you go and change it on each and every server.
>
> Finally able to revisit this Patch / Ticket:
> (To be used in conjunction with Patch 38)
>
> 25 Create Tool for Enabling/Disabling Managed Entry
> Plugins https://fedorahosted.org/freeipa/ticket/1181
>
> Remove legacy ipa-host-net-manage
> Add ipa-managed-entries tool
> Add man page for ipa-managed-entries tool
>
I have found few issues with the patch:
1) I don't think its necessary to change BuildRequires to
389-ds-base-devel >= 1.2.8
2) Invalid comment in get_dirman_password() function. There is no
verification of the password. It just prompts it
3) ipa-managed entries man pages: copy & paste error:
+Directory Server will need to be restarted after the schema
compatibility plugin has been enabled.
4) Invalid help of the program:
# ipa-managed-entries --help
Usage: ipa-managed-entries [options] <enable|disable>
ipa-managed-entries [options]
- status action is missing
- running program without action is not allowed, i.e. should not be
offered
5) I was thinking if there is a better solution to enabling/disabling of
the plugin. Likes setting something like "managedEntryEnabled" attribute
to on/off as we do with compat plugin. Current concept with disabling
the definition by damaging the originFilter and then restoring it from
an LDIF seems a bit awkward to me.
6) ipa-managed-entries crashes when managed entry is a wrong file:
# ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif
Directory Manager password:
Traceback (most recent call last):
File "/usr/sbin/ipa-managed-entries", line 245, in <module>
sys.exit(main())
File "/usr/sbin/ipa-managed-entries", line 141, in main
originFilter = entry_attr['originFilter'][0]
KeyError: 'originFilter'
7) What if there are more managed entries in the LDIF? This concept
would not work correctly then. A behavior I would expect:
a) User (optionally) passes a directory with managed entries LDIFs
b) ipa-managed-entries analyzes all LDIFs and prints available Managed
Entry definitions
c) I would choose the one I want to enable/disable via
ipa-managed-entries option
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
