On 10/06/2014 04:44 PM, Alexander Bokovoy wrote:
On Mon, 06 Oct 2014, Ludwig Krispenz wrote:
Hi Alex,

one quick comment:
I'm afraid the only case where slapi_search_internal_pb() returns -1 is if you don't provide a pblock. In all other cases it returns 0 and you have to check:
slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
Uhm, there are few more cases:

- when filter string is NULL;
- when scope is wrong
- when building a filter struct failed due to memory or syntax error
these are returns from search_internal_callback_pb(). But slapi_search_internal_pb() calls slapi_search_internal_pb() which just does:

search_internal_callback_pb (pb, &psid, internal_plugin_result_callback,
internal_plugin_search_entry_callback,
internal_plugin_search_referral_callback);
    opresult = psid.rc;
...
and does not care what search_internal_callback_pb() returns.

If return from slapi_search_internal_pb() is 0, we are at least got to
op_shared_search() so we are dealing with the consequence of actually
running the search. I'll add one more check for the result (I had it in
one of original versions before simplification), thanks.


Ludwig

Ludwig
On 10/01/2014 06:16 PM, Alexander Bokovoy wrote:
Hi!

Attached are patches to add support of FreeIPA ID views to Schema
compatibility plugin (slapi-nis). There are two patches for FreeIPA and
a separate patch for slapi-nis. Patches can be applied independently; if
old slapi-nis is installed, it will simply work with new configuration
but do nothing with respect to answering to requests using host-specific
ID views.

I included documentation on how slapi-nis ID views feature supposed to
work, available in slapi-nis/doc/ipa/ipa-sch.txt. Any comments and fixes
are welcome. There are no additional tests in slapi-nis to cover compat
trees, we have multiple tests in FreeIPA for this purpose, will be run
as part of FreeIPA CI effort.

FreeIPA patches add ACIs for accessing ID view-applied entries over
compat tree. They also include additional configuration; this
configuration is needed to properly resolve ID view overrides when
creating compat entries.

A second FreeIPA patch adds support to override login shell. This part
was missing from the original patchset by Tomas.

For trusted AD users one needs patches to SSSD 1.12.2, made by Sumit
Bose. There is also a regression (fixed by Sumit as well) that prevents
authentication of AD users over PAM which affects authentication over
compat tree. With the patch from Sumit authentication works again, both
with ID view and without it.



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to