On 11/16/2012 05:18 PM, Rob Crittenden wrote:
> Nalin Dahyabhai wrote:
>> On Thu, Nov 15, 2012 at 11:53:44PM -0500, Rob Crittenden wrote:
>>> In order for this to work you'll need to apply the last two patches
>>> (both 0001) to slapi-nis and spin it up yourself, otherwise you'll
>>> have serious deadlock issues. I know this is extra work but this
>>> patch is potentially disruptive so I figure the earlier it is out
>>> the better.
>>>
>>> Noriko/Rich/Nalin, can you guys review the slapi-nis pieces? I may
>>> have been too aggressive in my cleanup.
>>>
>>> Noriko/Rich, can you review the 389-ds plugin parts of my 1072 patch?
>>>
>>> Once we have an official slapi-nis build with these patches we'll
>>> need to set the minimum n-v-r in our spec file.
>>
>> Rob, the original patch was already applied.  I since reworked large
>> parts of how it was organized to make it easier for me to read, and
>> tagged the result as 0.43.  Have you tested the IPA changes in
>> combination with the 0.44 builds from either ipa-devel or Fedora 18's
>> updates-testing repository?
>>
>> Nalin
>>
> 
> I tested the 0.44 build and things are looking good. I'm not deadlocking, so I
> guess that's the desired out come :-)
> 
> I bulk loaded a few thousand users and groups and tested the compat and NIS
> plugins and the data appears correct.
> 
> Updated patch with minimum n-v-r in spec attached.
> 
> rob
> 

Good job, this closes a lot of tickets! I am now also able to run tests without
having to set wait_for_attr env config first!

The patch generally seems to work OK, I tried it even with a replica without
transactions enabled and so far so good. I have found just few issues:

1) Patch needs a mild rebase (spec file conflict)

2) One Unit test failure slipped:

======================================================================
FAIL: test_permission[22]: permission_find: Search for permissions by attr with
a limit of 1 (truncated)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 249, in
<lambda>
    func = lambda: self.check(nice, **test)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 266, in 
check
    self.check_output(nice, cmd, args, options, expected, extra_check)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 304, in
check_output
    assert_deepequal(expected, got, nice)
  File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (i,))
  File "/root/freeipa-master/tests/util.py", line 329, in assert_deepequal
    doc, sorted(missing), sorted(extra), expected, got, stack
AssertionError: assert_deepequal: dict keys mismatch.
  test_permission[22]: permission_find: Search for permissions by attr with a
limit of 1 (truncated)
  missing keys = []
  extra keys = ['memberindirect']
  expected = {'dn': ipapython.dn.DN('cn=Modify HBAC
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'), 'cn':
[u'Modify HBAC rule'], 'member_privilege': [u'HBAC Administrator'], 'subtree':
u'ldap:///ipauniqueid=*,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description',
u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory',
u'accessruletype', u'sourcehost'], 'permissions': [u'write']}
  got = {'dn': u'cn=Modify HBAC
rule,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'cn':
(u'Modify HBAC rule',), 'member_privilege': (u'HBAC Administrator',),
'subtree':
u'ldap:///ipauniqueid=*,cn=hbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'memberindirect': (u'cn=IT Security
Specialist,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',),
'attrs': (u'servicecategory', u'sourcehostcategory', u'cn', u'description',
u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory',
u'accessruletype', u'sourcehost'), 'permissions': (u'write',)}
  path = ('result', 0)


3) Question - what is the reason of keeping wait_for_attr sections in our code?
I may miss something, but I see no difference with api.env.wait_for_attr
enabled... AFAIU, there should not even be any difference as all attributes
should be filled in one transaction, so I would rather remove this flag from
both code and man page.

4) nsslapd-pluginbetxn is not set for schema compatibility plugin after upgrade:

# Schema Compatibility, plugins, config
dn: cn=Schema Compatibility,cn=plugins,cn=config
nsslapd-pluginId: schema-compat-plugin
cn: Schema Compatibility
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
nsslapd-pluginDescription: Schema Compatibility Plugin
nsslapd-pluginEnabled: on
nsslapd-pluginPath: /usr/lib64/dirsrv/plugins/schemacompat-plugin.so
nsslapd-pluginVersion: 0.44 (betxn support available and enabled by default)
nsslapd-pluginVendor: redhat.com
nsslapd-pluginType: object
nsslapd-pluginInitfunc: schema_compat_plugin_init

This is supposed to be enabled by default, judging by nsslapd-pluginVersion
description, but this may create an inconsistency between new installs and
upgraded IPA servers.

The same issue applies to IPA server with NIS plugin enabled.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to