On 10/01/2014 06:16 PM, Alexander Bokovoy wrote:

Attached are patches to add support of FreeIPA ID views to Schema
compatibility plugin (slapi-nis). There are two patches for FreeIPA and
a separate patch for slapi-nis. Patches can be applied independently; if
old slapi-nis is installed, it will simply work with new configuration
but do nothing with respect to answering to requests using host-specific
ID views.

I included documentation on how slapi-nis ID views feature supposed to
work, available in slapi-nis/doc/ipa/ipa-sch.txt. Any comments and fixes
are welcome. There are no additional tests in slapi-nis to cover compat
trees, we have multiple tests in FreeIPA for this purpose, will be run
as part of FreeIPA CI effort.

FreeIPA patches add ACIs for accessing ID view-applied entries over
compat tree. They also include additional configuration; this
configuration is needed to properly resolve ID view overrides when
creating compat entries.

A second FreeIPA patch adds support to override login shell. This part
was missing from the original patchset by Tomas.

For trusted AD users one needs patches to SSSD 1.12.2, made by Sumit
Bose. There is also a regression (fixed by Sumit as well) that prevents
authentication of AD users over PAM which affects authentication over
compat tree. With the patch from Sumit authentication works again, both
with ID view and without it.

Freeipa-devel mailing list
Hello Alexander,

   A question about backend_search_filter_has_cn_uid.
   It checks if a filter components contains
   (uid|uidNumber|gidNumber|memberUid) and in this case returns
   SLAPI_FILTER_SCAN_STOP. This value will interrupt the filter rewriting.

   In addition, for each component it calls idview_process_filter_cb to
   override an attribute that needs to be override in the view.
   So I wonder if it will work for filter like:

   (&(<attribute_to_override>=xxx) (uid=yyy))

   but will stop to early for



Freeipa-devel mailing list

Reply via email to