On 10/06/2015 07:19 AM, David Kupka wrote:
On 05/10/15 16:12, Simo Sorce wrote:
On 05/10/15 09:00, Martin Babinsky wrote:
These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.

LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug
fixed in 389ds ?


The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there.

that is correct.
I can reproduce the problem. Although the matching rule (in my test caseIgnoreIA5Match) is found, it has no registered indexing function, so the setting (nsMatchingRule) is ignored. I do not know if the indexing function is missing or there is a bug so that the matching rule "forget" to register it. This feature is documented but I can not find any QA test around it, so I do not know yet if it is a regression or if it was not enabled at all.

I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:

 * use filtered matching rule (preferred)
 * change the attribute syntax/matching rule, in the schema (I would
   discourage this one because changing the schema is risky)

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to