On Tue, 21 Oct 2014, Martin Kosek wrote:
On 10/20/2014 08:25 PM, Alexander Bokovoy wrote:

This patch is for ipa-4-1 branch to enable uniqueness plugin for uid
attribute for entries with objectclass posixAccount.

We don't have uid uniqueness enforced in FreeIPA < 4.1 yet but for
posixAccounts it worked due to our design of a flat tree: as uid attribute is
part of the DN, renaming user entries
enforces uniqueness as MODRDN will fail if entry with the same uid
already exists.

However, it is not enough for ID views -- we should be able to allow
ID view overrides for the same uid across multiple views and we should
be able to protect uid uniqueness more generally too.

Implementation is done via update plugin that checks for existing uid
uniqueness plugin and if it is missing, it will be added. If plugin
exists, its configuration will be updated.

I haven't added update specific to git master where staging subtree is
added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet
have the staging subtree. Currently master has broken setup for uid
uniqueness plugin that doesn't actually work anyway so it will be easier
to add upgrade over properly configured entry.


Hi Alexander,

Thanks for the patch! However, I am personally not very confident with merging
it right before 4.1 release, I thought it will be a simple update definition
while this is a complex upgrade script which needs to be properly tested.

I would rather wait for 4.1.x, especially given it does not block any 4.1 major
feature in any way.
I disagree on it for multiple reasons and one of them is that 'a simple
update definition' is not right here. Attribute uniqueness plugin
supports three different types of setting its own arguments. These types
aren't mixable, you have to do switch from one to another. That's why
update plugin is the correct approach here.

The update plugin I've wrote is very simple by itself.
/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to