Martin Kosek wrote:
On Thu, 2011-07-21 at 23:52 +0000, JR Aquino wrote:
On Apr 25, 2011, at 9:00 AM, Simo Sorce wrote:

On Mon, 2011-04-25 at 14:59 +0000, JR Aquino wrote:
On Apr 25, 2011, at 6:43 AM, Simo Sorce wrote:

On Thu, 2011-04-21 at 23:28 +0000, JR Aquino wrote:
Both Private Groups and the Hostgroup ->  Netgroup Managed Entries
create objects in the container:
cn=Managed Entries,cn=plugins,cn=config

Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX,
and one in the cn=config

How will these be treated by replication and the multi masters?

Only the common objects in the public suffix are replicated.
I think at some point we discussed that we should use a filter in the
private config entry made so that we could enable/disable the plugin by
simply making the filter result true/false.
Thus not ever touch the entries in cn=config but simply
"enable"/"disable" the functionality by (not)adding the appropriate
attributes to objects so that filters would (not) match.


This tool works by toggling the originfilter: objectclass=disabled in order to 
turn off the plugin.

But this is backwards, because originfilter is defined in the
configuration entry stored in cn=config

Meaning as soon as you change it one server will behave differently from
the others until you go and change it on each and every server.

Finally able to revisit this Patch / Ticket:
(To be used in conjunction with Patch 38)

25 Create Tool for Enabling/Disabling Managed Entry

Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool

I have found few issues with the patch:

1) I don't think its necessary to change BuildRequires to
389-ds-base-devel>= 1.2.8

I think this is because the ability to move the config out of cn=config. It should probably be Requires and not BuildRequires though.

2) Invalid comment in get_dirman_password() function. There is no
verification of the password. It just prompts it

3) ipa-managed entries man pages: copy&  paste error:
+Directory Server will need to be restarted after the schema
compatibility plugin has been enabled.

4) Invalid help of the program:
# ipa-managed-entries --help
Usage: ipa-managed-entries [options]<enable|disable>
        ipa-managed-entries [options]

- status action is missing
- running program without action is not allowed, i.e. should not be

5) I was thinking if there is a better solution to enabling/disabling of
the plugin. Likes setting something like "managedEntryEnabled" attribute
to on/off as we do with compat plugin. Current concept with disabling
the definition by damaging the originFilter and then restoring it from
an LDIF seems a bit awkward to me.

We have to do it this way (or something like it) because cn=config is not replicated.

6) ipa-managed-entries crashes when managed entry is a wrong file:

# ipa-managed-entries status -f /usr/share/ipa/managed-entries.ldif
Directory Manager password:

Traceback (most recent call last):
   File "/usr/sbin/ipa-managed-entries", line 245, in<module>
   File "/usr/sbin/ipa-managed-entries", line 141, in main
     originFilter = entry_attr['originFilter'][0]
KeyError: 'originFilter'

7) What if there are more managed entries in the LDIF? This concept
would not work correctly then. A behavior I would expect:
a) User (optionally) passes a directory with managed entries LDIFs
b) ipa-managed-entries analyzes all LDIFs and prints available Managed
Entry definitions
c) I would choose the one I want to enable/disable via
ipa-managed-entries option


Freeipa-devel mailing list


Freeipa-devel mailing list

Reply via email to