On Thu, 09 Oct 2014, Martin Kosek wrote:
On 10/09/2014 01:02 PM, Alexander Bokovoy wrote:
On Thu, 09 Oct 2014, Alexander Bokovoy wrote:
On Thu, 09 Oct 2014, Martin Kosek wrote:
On 10/09/2014 09:33 AM, Ludwig Krispenz wrote:
all the issues I found are fixed, for me it's ACK

On 10/08/2014 07:50 PM, Alexander Bokovoy wrote:
On Tue, 07 Oct 2014, Ludwig Krispenz wrote:
Hi Alex,

I have a question regarding cbdata.target. It is/was a reference to the
pblock used to generate a new dn, but now in
idview_replace_target_dn(&cbdata.target,...) it can be newly allocated and
should be freed, so I think there should be a return code indicating if it
was allocated or not.
Yes, good catch.

I've fixed this and other issues raised in the review.

I also fixed an issue with an initial lookup by an override. If someone
does a search by an override, we would replace uid|cn=<value> by
uid=<ipaOriginalUid value> if it exists and by <ipaAnchorUUID value>
otherwise -- for groups we don't have ipaOriginalUid as they don't have
uids. Now, the filter would look like (ipaAnchorUUID=:SID:S-...) and if
there is no entry in the map cache, the search will return nothing, the
entry will be staged for lookup through SSSD.

In the original version lookup in SSSD didn't take ipaAnchorUUID into
account, so the entry would not be found at all. I did add a call to
do sid2name first and then use the name to perform actual SSSD lookup.

Works nicely now.

New patch for slapi-nis is attached.

Great! What is the next step? If Nalin (CCed) is OK with the slapi-nis changes
as well, it would be great to have that pushed there.

Alexander, do you plan to do any other changes in slapi-nis in scope of FreeIPA
4.1? When the changes are ready, it would be nice to get slapi-nis released so
that we can bump FreeIPA slapi-nis requires.
No more changes are planned right now. If Nalin would grant me write
access to slapi-nis.git on fedorahosted.org, I can handle release in Fedora
Never say never. The moment I've sent this email, I've realized I need
to fix https://bugzilla.redhat.com/show_bug.cgi?id=1130131

The patch is sent in a separate email.

Seen that, thanks! BTW what about

#4435   Trusted AD users are not resovable in netgroups
#4403   [RFE] compat tree: show AD members of IPA groups

do you see this also as something that would fit in slapi-nis in 4.1?
I don't think I'll be able to fix them before 4.1. Netgroups support
requires to create additional configuration and in theory could be
simple but needs a lot of care (escaping of embedded string delimiters).
Additionally, netgroups will not yet work with views properly, this is
something that requires more time.

AD members of IPA groups needs more work too as we have no means yet to
pick up and resolve ipaExternalMember in slapi-nis.
/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to