Martin Kosek wrote:
On Mon, 2012-06-11 at 14:37 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote:
On 06/06/2012 08:01 AM, Martin Kosek wrote:
On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
This set of patches
1) Adds a support for uni-directional remote membership to baseldap
plugin (like service->host membership in service managedby attribute) -
patch 272
2) Adds a support for service->host membership to host plugin using the
new interface - patch 273
Martin
Have you tried this in the UI? Are these new relationships already handled?
rob
I just checked that I didn't break anything in the host page. But with
this patch, we could add a tab with a list of services for a selected
host. I will check with Petr if the information we provide are enough.
Martin
Provided information is sufficient for implementation of UI part.
Thanks Petr, I created a ticket for Web UI to implement this new
relationship:
https://fedorahosted.org/freeipa/ticket/2812
Martin
This is displaying the DN of the service which is case-insensitive, so
for example the HTTP principal shows as : http/ipa.example.com. Perhaps
take the RDN and pull that attribute specifically?
rob
Yes, this is caused by our (member) DN normalizing which is a more
general issue than this patch (I would not hold it because of that).
Look for example at roles, we also put all privileges member DNs to
lower case:
# ipa role-show helpdesk
Role name: helpdesk
Description: Helpdesk
Privileges: modify users and reset passwords, modify group membership
DNs are normalized as well:
# ipa role-show helpdesk --all --raw
dn:
cn=helpdesk,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: helpdesk
description: Helpdesk
memberof: cn=modify users and reset
passwords,cn=privileges,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
...
# ipa privilege-show "modify users and reset passwords"
Privilege name: Modify Users and Reset passwords<<< not lowercase
Bottomline is that I would not do any extra processing just for
"remote_attrs" (which would make it inconsistent with the rest). This
needs to be solved on a more global level.
I see there are at least these two tickets relevant to this issue:
#2620 renaming of objects is case insensitive
#2482 Sudo commands are case-insensitive
Martin
I think this is a different issue and related to the way we decided to
structure some dns. IMHO I'd rather not show member service principals
than show an incorrect one.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
