On 10/02/2012 05:46 PM, Martin Kosek wrote:
On 10/02/2012 03:04 PM, Martin Kosek wrote:
On 10/02/2012 12:19 PM, Petr Viktorin wrote:
On 10/01/2012 05:28 PM, Martin Kosek wrote:
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, as services created in previous version do not have
this objectclass (and attribute), they are not listed in service list
produced by service-find.
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command. Add flag to service-mod command which can fill
ipakrbprincipalalias attribute when case-insensitive principal searches
for a 2.x service are required.
https://fedorahosted.org/freeipa/ticket/3106
This works, I'm getting all services now & the tests pass.
-----
I am still pondering about a right way to fill ipakrbprincipalalias used in for
IPA 3.0 case-insensitive searches, so far I implemented this command:
ipa service-mod PRINCIPAL --update-principal-alias
But I am thinking it may be a better approach to generalize it and do something
like that:
ipa service-mod PRINCIPAL --upgrade/--update
This command would do a general update of service entry to an up-to-date 3.0
style, in this case it could do 2 things:
* fill ipakrbprincipalalias
* fill ipakrbauthzdata (based on default value in IPA config).
I don't think you're generalizing enough; `service-mod --upgrade` isn't that
different from `service-mod --update-principal-alias --update-authzdata`.
Scripting this to happen for all services could be a nuisance, though. There
should be a way to upgrade all services at once, and since we already have
ipa-ldap-updater for it, it should run as part of that.
I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong.
I agree. I created an upgrade plugin which should update all services and fill
ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and
it worked fine.
Martin
There was a glitch in the loop repeating the update when LDAP limits are hit -
thanks Petr Viktorin for noticing the issue. It is working now, I tried with 10
affected services and search limit set to 1 entry - and the loop executed 10
times as it was supposed to.
I also disabled size/time limits for the search in the upgrade plugin. But it
would also work if default IPA search limits (100 entries) are used, it should
just make things faster.
Martin
With the limits removed, the loop is redundant. Please decide yourself
if it would be better to remove it.
ACK from me if you want to push it as is.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
