Hello,

   Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0

   The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA
   scope to 'cn=accounts,SUFFIX' .
   This was invalid. If you run recent master instance (with that
   scoping) you may need to reinstall IPA or do the following:

       ldapmodify -h .. -p 389 -D "cn=directory manager" -w xxx
       cn=Posix IDs,cn=Distributed Numeric Assignment
       Plugin,cn=plugins,cn=config
       changetype: modify
       replace: dnaScope
       dnaScope: $SUFFIX

       ipactl restart

   Thanks Sumit for this catch. The new patch revert the change in dna
   update.

   thierry

On 08/28/2014 08:58 PM, Sumit Bose wrote:
On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote:
On 08/28/2014 08:30 PM, Sumit Bose wrote:
On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote:
On 08/28/2014 06:51 PM, Sumit Bose wrote:
On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote:
Hello,

    Following Petr remarks from the previous review, I modified the
    original fix to move it only in '.update' files.

    Thanks
    thierry

 From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Thu, 7 Aug 2014 16:29:02 +0200
Subject: [PATCH] User Life Cycle: create containers and scoping  DS plugins

User Life Cycle is designed 
http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete 
and Staging
containers needs to be created.
                Active: cn=users,cn=accounts,$SUFFIX
                Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
                Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
                krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
                        cn=accounts,SUFFIX
                        cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
                DNA:
                        cn=accounts,SUFFIX
Hi Thierry,

sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA
plugin. We need to generate a UID for the trusted domain objects as
well which are stored in cn=trusts,SUFFIX. The reason is that AD
expects to be able to connect with a special trusted domain account. We
generate this account on the fly based on the data in the trusted domain
object hence we need a UID here.

Since it looks like dnaScope is a SINGLE-VALUE attribute I think
dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a
different solution?

bye,
Sumit
Hello Sumit,

    Thank you so much for having reviewed this fix and your important
    feedback !

    Yes I had the same fear to restrict DNA to 'accounts'. I opened
    https://fedorahosted.org/389/ticket/47828
    to allow to exclude a part of the DIT (here
    'cn=provisioning,SUFFIX') from the scope of DNA plugin.
    Do you think it can address this concern  ?
Yes, in general this would fix the issue. I'm just wondering if it
wouldn't be easier with respect to coding and management to make
dnaScope a multi-value attribute?

Additionally a fix for IPA master is needed to make trusts work again.
Would it be possible to tweak the filter to skip objects in
cn=provisioning? E.g. do those objects have the ipaObject objectclass?
Yes, stage entries have 'objectclass=ipaObject'.
Do you suggest to remove this oc from staged entries, so that the filter
will not match it ?. I have to check the impact of stage user not being
ipaObject.
no, it was just a suggestion. Maybe we can use entryDN like:

(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*)))

bye,
Sumit

thanks
thierry
bye,
Sumit

    thanks
    thierry

                Plugins exclude subtree:
                IPA UUID, Referential Integrity, memberOf:
                        cn=provisioning,SUFFIX

Reviewed-By: Petr Viktorin <pvikt...@redhat.com>

https://fedorahosted.org/freeipa/ticket/3813
---

From 7cd6cbc9bcb970e63712df98b1fc206727e1eb8b Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Fri, 29 Aug 2014 15:35:43 +0200
Subject: [PATCH] User Life Cycle: DNA scopes full SUFFIX

In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX'
This part of the fix was invalid as trust domain object (that need uid/gid allocation)
are under 'cn=trust,SUFFIX'. Revert that part of the fix.
Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains

https://fedorahosted.org/freeipa/ticket/3813
---
 install/updates/20-dna.update | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
index 719195e9214ac293a3729f389504f39b46cd1aa2..04047dd12787e589953e4f938a03d868de3ae93e 100644
--- a/install/updates/20-dna.update
+++ b/install/updates/20-dna.update
@@ -2,11 +2,9 @@
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
 
-# Change the magic value to -1 and restrict DNA to active accounts
+# Change the magic value to -1
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:dnaMagicRegen: -1
-remove:dnaScope: '$SUFFIX'
-add:dnaScope: 'cn=accounts,$SUFFIX'
 
 dn: cn=ipa-winsync,cn=plugins,cn=config
 remove:ipaWinSyncUserAttr: uidNumber 999
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to