On Tue, 07 Oct 2014, thierry bordaz wrote:
On 10/01/2014 06:16 PM, Alexander Bokovoy wrote:
Hi!

Attached are patches to add support of FreeIPA ID views to Schema
compatibility plugin (slapi-nis). There are two patches for FreeIPA and
a separate patch for slapi-nis. Patches can be applied independently; if
old slapi-nis is installed, it will simply work with new configuration
but do nothing with respect to answering to requests using host-specific
ID views.

I included documentation on how slapi-nis ID views feature supposed to
work, available in slapi-nis/doc/ipa/ipa-sch.txt. Any comments and fixes
are welcome. There are no additional tests in slapi-nis to cover compat
trees, we have multiple tests in FreeIPA for this purpose, will be run
as part of FreeIPA CI effort.

FreeIPA patches add ACIs for accessing ID view-applied entries over
compat tree. They also include additional configuration; this
configuration is needed to properly resolve ID view overrides when
creating compat entries.

A second FreeIPA patch adds support to override login shell. This part
was missing from the original patchset by Tomas.

For trusted AD users one needs patches to SSSD 1.12.2, made by Sumit
Bose. There is also a regression (fixed by Sumit as well) that prevents
authentication of AD users over PAM which affects authentication over
compat tree. With the patch from Sumit authentication works again, both
with ID view and without it.



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Hi Alexander,

  Just a minor remark about idview_get_overrides. It does an internal
  search of the views and keep the returned views into
  cbdata->overrides. Later the entries will be freed. Internal search
  may also return referral arrays (usually freed by
  slapi_free_search_results_internal). In case cn=views container
  contains referral entries you may need to free them.
What would be a reason to return these referrals in IPA case? This code
is IPA-specific and we don't have any referrals for the tree or backend
we are dealing with. I agree it would be good to do in general but how
that is relevant to the specific use case?

  Also, I have a concern about performance. My understanding is that
  for each search, backend_search_cb allocates a new cbdata with
  uninitialized 'overrides'. So it will trigger the internal search
  idview_get_overrides.
  Most of the time those overrides rules have not been updated, so
  idview_get_overrides will retrieve the same entries.
  Wouldn't it be possible to 'cache' those entries (to prevent the
  internal search), and just clear those entries if a mod/add/del
  happen one them ?
I was thinking about using this approach but rejected it for several
reasons, primary due to lack of development time. We can do a lot of
refactoring on how slapi-nis currently uses RAM to store all compat
entries at the same time; the current approach with ID overrides tries
to not complicate that logic. We agreed with Simo to do performance
optimizations at a later stage.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to