On 03/24/2014 02:33 PM, Nathaniel McCallum wrote:
> On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote:
>> On Fri, 21 Feb 2014, Nathaniel McCallum wrote:
>>> On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote:
>>>> On Thu, 20 Feb 2014, Nathaniel McCallum wrote:
>>>>>>>>> There is an error in libotp's find() function which assumes that
>>>>>>>>> get_basedn() always returns non-NULL value. This is not true for at
>>>>>>>>> least cn=Directory Manager.
>>>>>>>>>
>>>>>>>>> Patch attached.
>>>>>>>> More fixes required, now that Thierry produced the fix for 389-ds 
>>>>>>>> ticket
>>>>>>>> 47699 which allows to re-arrange schema-compat and ipa-pwd-extop
>>>>>>>> plugins. I'm getting crash in find() in libotp.c for internal search in
>>>>>>>> some other conditions but at least user dn now is the correct one.
>>>>>>>>
>>>>>>>> Stay tuned.
>>>>>>> OK, finally I've got it working -- my last patch had error which could
>>>>>>> be attributed to the late night time.
>>>>>>>
>>>>>>> New patch is attached to fix libotp to work properly with empty base dn
>>>>>>> (such as cn=Directory Manager).
>>>>>>>
>>>>>>> Also I'm attaching the patch that sets precedence of schema-compat
>>>>>>> plugin to 49 (less than default 50). With this patch and 389-ds with
>>>>>>> patch from ticket 47699 compat tree binds work with OTP.
>>>>>>>
>>>>>>> When updated 389-ds-base will be released, we'll need to add Requires:
>>>>>>> to our RPM spec to depend on it. Without the updated 389-ds-base compat
>>>>>>> tree binds will not work with OTP but the rest will be working fine.
>>>>>>>
>>>>>>> Finally, ACK to all OTP patches.
>>>>>>
>>>>>> ACK to both of these patches.
>>>>>
>>>>> I've merged the first patch here --
>>>>> https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html
>>>>>
>>>>> I just realized the second patch shouldn't be ACK'd until we have a new
>>>>> 389DS release with the fix. When that happens, reissue this patch with
>>>>> an update versioned require.
>>>> No, it can be safely merged as 389DS will use default precedence (50) 
>>>> unless
>>>> the fix is there. So the worst we get is the same as now -- OTP binds
>>>> will not work over compat tree. And when 389DS will be upgraded, they
>>>> will start working after 389DS restart.
>>>
>>> But this patch doesn't actually do anything until we get the new version
>>> of 389DS. If we are ever going to add a versioned dependency on the new
>>> 389DS for this feature, it should go in this patch. Otherwise, it is an
>>> ACK from me.
>> New 389-DS is in Fedora 20 updates stable and Rawhide already.
>> 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in
>> Fedora 20 updates testing, providing multiple policy enhancements that
>> make possible Apache process to work with kernel-based credentials
>> caches.
>>
>> Attached patch makes use of the new packages.
> 
> ACK

Pushed both patches below:

[PATCH 17/17] schema-compat: set precedence to 49 to allow OTP binds over
compat tree
[PATCH] freeipa.spec.in: update dependencies to 389-ds and selinux-policy

to master.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to