On Tue, 2012-01-17 at 09:23 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2012-01-16 at 15:43 -0500, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> On Mon, 2011-12-12 at 23:09 -0500, Rob Crittenden wrote:
> >>>> Rob Crittenden wrote:
> >>>>> Rather than manually adding users to the default ipa users group
> >>>>> configure automember to do it for us.
> >>>>>
> >>>>> This was quite simple for new installs but a bit complex on upgrades so
> >>>>> I implemented it as an update plugin.
> >>>>>
> >>>>> I also added a unit test for the config module. The majority of config
> >>>>> is ignored for now. I'm afraid we'd run into too many false positives if
> >>>>> we test each element, and most of these just store data so there isn't a
> >>>>> lot that can go wrong.
> >>>>>
> >>>>> rob
> >>>>
> >>>> Small revision. I wasn't shipping the update plugin.
> >>>>
> >>>> rob
> >>>
> >>> I have few minor-ish issues:
> >>>
> >>> 0) I was thinking if this new approach for assignment of ipa default
> >>> users is safe enough. If user accidentally mess with automember and
> >>> modifies/deletes the default group rule, new users may be omitted from
> >>> the default group set in IPA config. Are we sure that we are OK with
> >>> this?
> >>
> >> I made some stricter tests that don't allow users to manage the
> >> conditions of the default users group nor use an existing rule with
> >> conditions for the default users group.
> >>
> >>> 1) Several tests are provided with a hard-code basedn
> >>> (dc=greyoak,dc=com). api.env.basedn would a better choice
> >>
> >> Ouch, fixed.
> >>
> >>> 2) We could optimize user.py not to retrieve config from LDAP since it
> >>> is now needed only when api.env.wait_for_attr is now. I think this may
> >>> speedup the command a little bit:
> >>> ...
> >>> # Automember adds our user to the default group for us.
> >>> if self.api.env.wait_for_attr:
> >>> config = ldap.get_ipa_config()[1]
> >>> def_primary_group = config.get('ipadefaultprimarygroup')
> >>> newentry = wait_for_value(ldap, dn, 'memberOf',
> >>> def_primary_group)
> >>> entry_from_entry(entry_attrs, newentry)
> >>> ...
> >>
> >> Ok, that's a good idea. I think this path is going to go away soon
> >> though once we have transactions in 389-ds.
> >>
> >> rob
> >>
> >
> > Thanks, it safer now. We just have to fix ipa-server-install too:
> >
> > # ipa-server-install
> > ...
> > [12/13]: restarting httpd
> > [13/13]: configuring httpd to start on boot
> > done configuring httpd.
> > Applying LDAP updates
> > Unexpected error - see ipaserver-install.log for details:
> > The default users group cannot be removed or modified
> >
> > There is also a bug in is_default_users group - all non-group automember
> > rules are rejected:
> >
> > # ipa hostgroup-add --desc="Web Servers" webservers
> > ----------------------------
> > Added hostgroup "webservers"
> > ----------------------------
> > Host-group: webservers
> > Description: Web Servers
> > # ipa automember-add --type=hostgroup webservers
> > ----------------------------------
> > Added automember rule "webservers"
> > ----------------------------------
> > Automember Rule: webservers
> > # ipa automember-add-condition --key=fqdn --type=hostgroup
> > --inclusive-regex=^web[1-9]+\.example\.com webservers
> > ipa: ERROR: The default users group cannot be removed or modified
> >
> > A buch of tests in test_automember_plugin.py is failing because of this
> > bug too.
> >
> > Martin
> >
>
> Ah, I was just running the config tests :-(
>
> The is_default_users_group() was trivial and fixed all but two tests. It
> did however show a potentially fatal problem to the patch.
>
> If we use automember for users then the default group will NEVER get
> used because we guarantee that users are always added to one automember
> group (ipausers). This sort of defeats the purpose of being able to set
> a default group. So I'm thinking we'll need to drop this patch.
>
> rob
That's true. It seems that our current approach for adding users to
default group is not that bad after all.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
