On Mon, 2012-01-16 at 15:43 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > On Mon, 2011-12-12 at 23:09 -0500, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> Rather than manually adding users to the default ipa users group > >>> configure automember to do it for us. > >>> > >>> This was quite simple for new installs but a bit complex on upgrades so > >>> I implemented it as an update plugin. > >>> > >>> I also added a unit test for the config module. The majority of config > >>> is ignored for now. I'm afraid we'd run into too many false positives if > >>> we test each element, and most of these just store data so there isn't a > >>> lot that can go wrong. > >>> > >>> rob > >> > >> Small revision. I wasn't shipping the update plugin. > >> > >> rob > > > > I have few minor-ish issues: > > > > 0) I was thinking if this new approach for assignment of ipa default > > users is safe enough. If user accidentally mess with automember and > > modifies/deletes the default group rule, new users may be omitted from > > the default group set in IPA config. Are we sure that we are OK with > > this? > > I made some stricter tests that don't allow users to manage the > conditions of the default users group nor use an existing rule with > conditions for the default users group. > > > 1) Several tests are provided with a hard-code basedn > > (dc=greyoak,dc=com). api.env.basedn would a better choice > > Ouch, fixed. > > > 2) We could optimize user.py not to retrieve config from LDAP since it > > is now needed only when api.env.wait_for_attr is now. I think this may > > speedup the command a little bit: > > ... > > # Automember adds our user to the default group for us. > > if self.api.env.wait_for_attr: > > config = ldap.get_ipa_config()[1] > > def_primary_group = config.get('ipadefaultprimarygroup') > > newentry = wait_for_value(ldap, dn, 'memberOf', > > def_primary_group) > > entry_from_entry(entry_attrs, newentry) > > ... > > Ok, that's a good idea. I think this path is going to go away soon > though once we have transactions in 389-ds. > > rob >
Thanks, it safer now. We just have to fix ipa-server-install too: # ipa-server-install ... [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Unexpected error - see ipaserver-install.log for details: The default users group cannot be removed or modified There is also a bug in is_default_users group - all non-group automember rules are rejected: # ipa hostgroup-add --desc="Web Servers" webservers ---------------------------- Added hostgroup "webservers" ---------------------------- Host-group: webservers Description: Web Servers # ipa automember-add --type=hostgroup webservers ---------------------------------- Added automember rule "webservers" ---------------------------------- Automember Rule: webservers # ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers ipa: ERROR: The default users group cannot be removed or modified A buch of tests in test_automember_plugin.py is failing because of this bug too. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel