Martin Kosek wrote:
On Thu, 2011-10-13 at 15:09 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
The has_upg() check was created during a transition period for 389-ds.
It is no longer needed and is actually breaking things. The
location of
UPG template moved so it thinks the feature is not available. This is
making the primary user's group ipausers instead of the UPG.

rob

Shouldn't we remove has_managed_entries() and its use too? After
all, we
claim that this patch fixes #1242 which asks for has_managed_entries()
removal.

Martin


Updated patch attached. It removes has_managed_entries().

rob

Looks good - there is just some leftover in the bottom of commit
message, probably from patch squashing.

However, I was thinking about has_upg() removal. Shouldn't we check if
the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
Otherwise if the plugin is disabled and we would run user-add command
without --noprivate option, we would set nonexistent GID for the user as
the UPG wouldn't be created.

Martin


Ok, good point.

I decided to just fix has_upg() for now.

I'm caching the value so we don't have to do an extra search every
single time we add a user. I don't think this is the kind of thing that
is going to be turned on/off a lot (e.g. you'll turn it off and be done
with it).

rob

Updated patch to remove caching. Since the config is now replicated if
an admin disables it they would quickly have to restart all Apache
servers on all replicas which is bad.

rob


ipaserver/plugins/ldap2.py:723: [E0001] invalid syntax

return = False? Really? :-)

Martin


I'm feeling very philosophical right now. To return or not return...

rob
>From 31ec8ab77a4e3310d3f14303dca267e9be4574a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 13 Oct 2011 13:07:49 -0400
Subject: [PATCH] Fix has_upg() to work with relocated managed entries
 configuration.

https://fedorahosted.org/freeipa/ticket/1964
---
 ipaserver/plugins/ldap2.py |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 696646c..dc71640 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -33,6 +33,7 @@ import string
 import shutil
 import tempfile
 import time
+import re
 
 import krbV
 import logging
@@ -191,9 +192,6 @@ def get_schema(url, conn=None):
 # Global schema
 _schema = None
 
-# The UPG setting will be cached the first time a module checks it
-_upg = None
-
 class ldap2(CrudBackend, Encoder):
     """
     LDAP Backend Take 2.
@@ -704,23 +702,24 @@ class ldap2(CrudBackend, Encoder):
     def has_upg(self):
         """Returns True/False whether User-Private Groups are enabled.
            This is determined based on whether the UPG Template exists.
-           We determine this at module load so we don't have to test for
-           it every time.
         """
-        global _upg
 
-        if _upg is None:
-            try:
-                upg_entry = self.conn.search_s(
-                    'cn=UPG Template,cn=etc,%s' % api.env.basedn,
-                    _ldap.SCOPE_BASE,
-                    attrlist=['*']
-                )[0]
-                _upg = True
-            except _ldap.NO_SUCH_OBJECT, e:
-                _upg = False
-
-        return _upg
+        upg_dn = str(DN('cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc', api.env.basedn))
+
+        try:
+            upg_entry = self.conn.search_s(
+                upg_dn,
+                _ldap.SCOPE_BASE,
+                attrlist=['*']
+            )[0]
+            disable_attr = '(objectclass=disable)'
+            if 'originfilter' in upg_entry[1]:
+                org_filter = upg_entry[1]['originfilter']
+                return not bool(re.search(r'%s' % disable_attr, org_filter[0]))
+            else:
+                return False
+        except _ldap.NO_SUCH_OBJECT, e:
+            return False
 
     @encode_args(1, 2)
     def get_effective_rights(self, dn, entry_attrs):
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to