On 04/16/2014 03:52 PM, Simo Sorce wrote: > On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote: >> On 11.4.2014 13:31, Petr Viktorin wrote: >>> One of the default_attributes of permission is memberofindirect, a >>> virtual attribute manufactured by ldap2, which is set when a permission >>> is part of a role. >>> When update_entry is called on an entry with memberofindirect, ipaldap >>> tries to add the attribute to LDAP and fails with an objectclass violation. >>> >>> Do not ask for memberindirect when retrieving the entry. >>> >>> >>> >>> CCing Honza since he designs ipaldap. Virtual attributes are often >>> helpful, and in any case IPA uses them a lot and having to filter them >>> out every time is error-prone. >>> Maybe we should add support for them directly in ipaldap -- e.g. an >>> attribute set by `entry.virtual[attr_name] = [x]` would be visible in >>> entry[attr_name] but would not be synced back to LDAP? >>> >> >> I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff >> in the future. Your suggestion works in sort of opposite direction, so I >> can't say I like it. >> >> Currently we use LDAPEntry in frontend code directly, but I think that's >> wrong. There should be a frontend-specific class for this (make >> ipalib.frontend.Object instantiable?) and LDAPEntry should be used >> (almost) only in backend code. > > +1 > > Simo.
We are then stuck with Petr's original patch 518 - ACK from me. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
