On 03/24/2014 02:33 PM, Nathaniel McCallum wrote: > On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote: >> On Fri, 21 Feb 2014, Nathaniel McCallum wrote: >>> On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: >>>> On Thu, 20 Feb 2014, Nathaniel McCallum wrote: >>>>>>>>> There is an error in libotp's find() function which assumes that >>>>>>>>> get_basedn() always returns non-NULL value. This is not true for at >>>>>>>>> least cn=Directory Manager. >>>>>>>>> >>>>>>>>> Patch attached. >>>>>>>> More fixes required, now that Thierry produced the fix for 389-ds >>>>>>>> ticket >>>>>>>> 47699 which allows to re-arrange schema-compat and ipa-pwd-extop >>>>>>>> plugins. I'm getting crash in find() in libotp.c for internal search in >>>>>>>> some other conditions but at least user dn now is the correct one. >>>>>>>> >>>>>>>> Stay tuned. >>>>>>> OK, finally I've got it working -- my last patch had error which could >>>>>>> be attributed to the late night time. >>>>>>> >>>>>>> New patch is attached to fix libotp to work properly with empty base dn >>>>>>> (such as cn=Directory Manager). >>>>>>> >>>>>>> Also I'm attaching the patch that sets precedence of schema-compat >>>>>>> plugin to 49 (less than default 50). With this patch and 389-ds with >>>>>>> patch from ticket 47699 compat tree binds work with OTP. >>>>>>> >>>>>>> When updated 389-ds-base will be released, we'll need to add Requires: >>>>>>> to our RPM spec to depend on it. Without the updated 389-ds-base compat >>>>>>> tree binds will not work with OTP but the rest will be working fine. >>>>>>> >>>>>>> Finally, ACK to all OTP patches. >>>>>> >>>>>> ACK to both of these patches. >>>>> >>>>> I've merged the first patch here -- >>>>> https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html >>>>> >>>>> I just realized the second patch shouldn't be ACK'd until we have a new >>>>> 389DS release with the fix. When that happens, reissue this patch with >>>>> an update versioned require. >>>> No, it can be safely merged as 389DS will use default precedence (50) >>>> unless >>>> the fix is there. So the worst we get is the same as now -- OTP binds >>>> will not work over compat tree. And when 389DS will be upgraded, they >>>> will start working after 389DS restart. >>> >>> But this patch doesn't actually do anything until we get the new version >>> of 389DS. If we are ever going to add a versioned dependency on the new >>> 389DS for this feature, it should go in this patch. Otherwise, it is an >>> ACK from me. >> New 389-DS is in Fedora 20 updates stable and Rawhide already. >> 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in >> Fedora 20 updates testing, providing multiple policy enhancements that >> make possible Apache process to work with kernel-based credentials >> caches. >> >> Attached patch makes use of the new packages. > > ACK
Pushed both patches below: [PATCH 17/17] schema-compat: set precedence to 49 to allow OTP binds over compat tree [PATCH] freeipa.spec.in: update dependencies to 389-ds and selinux-policy to master. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
