On 04.08.2016 17:49, Alexander Bokovoy wrote:

I've stumbled into an interesting problem.

Suppose, I have a plugin that adds schema and a subtree where entries it
manages will be stored. This subtree will have ACIs applied based on the
plugin permissions' configuration. Now, I put schema file in
/usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add
plugin code to the ipaserver/plugins/ (let's say, rpm does it for me).
Next, I want to install IPA server. The install will run through up to
server upgrade phase which will fail because generation of ACIs will
reference schema attributes/classes which aren't loaded to the dirsrv by
installer. How to solve it?
Installer uses hard-coded list of schema files and this is a third-party
plugin, it needs to extend the list of active schema files.

If we can define a place where third-party plugins could drop schema and
we just load everything from there before processing updates, it would
probably be enough.

TLDR: you don't without modifications in current IPA code, or it will be huge hack

I think, this is a part of "Support of 3rd party plugins" effort, but it has not been designed yet. I would like to avoid any ad-hoc solution. Maybe we should create a desing page and gathering requirements, you have a lot of them already :).


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to