Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb
Hi, Dne 4.2.2015 v 15:25 David Kupka napsal(a): On 02/03/2015 11:50 AM, thierry bordaz wrote: On 09/17/2014 12:32 PM, thierry bordaz wrote: On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Hello, This modified patch is mainly moving common base class into a new plugin: accounts.py. user/stageuser plugin inherits from accounts. It also creates a better description of what are stage user, how to add a new stage user, updates ACI.txt and separate active/stage user managed permissions. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks David for the reviews. Here the last patches ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3 to keep them together). The ULC feature is still WIP but these patches look good to me and don't break anything as far as I tested. We should push them now to avoid further rebases. Thierry can then prepare other patches delivering the rest of ULC functionality. Few comments from just reading the patches: 1) I would name the base class baseuser, account does not necessarily mean user account. 2) This is very wrong: -class user_add(LDAPCreate): +class user_add(user, LDAPCreate): You are creating a plugin which is both an object and an command. 3) This is purely subjective, but I don't like the name deleteuser, as it has a verb in it. We usually don't do that and IMHO we shouldn't do that. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb
On 02/03/2015 11:50 AM, thierry bordaz wrote: On 09/17/2014 12:32 PM, thierry bordaz wrote: On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Hello, This modified patch is mainly moving common base class into a new plugin: accounts.py. user/stageuser plugin inherits from accounts. It also creates a better description of what are stage user, how to add a new stage user, updates ACI.txt and separate active/stage user managed permissions. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks David for the reviews. Here the last patches ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3 to keep them together). The ULC feature is still WIP but these patches look good to me and don't break anything as far as I tested. We should push them now to avoid further rebases. Thierry can then prepare other patches delivering the rest of ULC functionality. -- David Kupka From 0aa8d71acfb6ae63c5cb9a8ab02ad67c7d15a430 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Fri, 8 Aug 2014 09:37:23 +0200 Subject: [PATCH] User Life Cycle: Exclude subtree for ipaUniqueID generation IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX' Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree' https://fedorahosted.org/freeipa/ticket/3813 --- daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16 1 file changed, 16 insertions(+) diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 93da0f15b8acfc02beddf4e884a735897a7513fe..ffade14672e8cd9e3f3e18d45a0a7095a6341d30 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -64,6 +64,7 @@ #define IPAUUID_GENERATE ipaUuidMagicRegen #define IPAUUID_FILTER ipaUuidFilter #define IPAUUID_SCOPEipaUuidScope +#define IPAUUID_EXCLUDE_SUBTREE ipaUuidExcludeSubtree #define IPAUUID_ENFORCE ipaUuidEnforce #define IPAUUID_FEATURE_DESC IPA UUID @@ -91,6 +92,7 @@ struct configEntry { Slapi_Filter *slapi_filter; char *generate; char *scope; +char *exclude_subtree; bool enforce; }; @@ -537,6 +539,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) } LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope); +value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE); +entry-exclude_subtree = value; +LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree); + entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE); LOG_CONFIG(-- %s [%s]\n, IPAUUID_ENFORCE, entry-enforce ? True : False); @@ -640,6 +646,10 @@ ipauuid_free_config_entry(struct configEntry **entry) slapi_ch_free_string(e-scope); } +if (e-exclude_subtree) { +slapi_ch_free_string(e-exclude_subtree); +} + slapi_ch_free((void **)entry); } @@ -918,6 +928,12 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype) } } +if (cfgentry-exclude_subtree) { +if (slapi_dn_issuffix(dn, cfgentry-exclude_subtree)) { +continue; +} +} + /*
Re: [Freeipa-devel] [PATCH] Fix for 4861
On Tue, 03 Feb 2015, Simo Sorce wrote: See subject :-) -- Simo Sorce * Red Hat, Inc. * New York From 245b307a99722bd4ca61e799f1a2708b6689f773 Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Tue, 3 Feb 2015 12:06:24 -0500 Subject: [PATCH] Handle DAL ABI change in MIT 1.13 In this new MIT version the DAL interface changes slightly but KRB5_KDB_DAL_MAJOR_VERSION was not changed. Luckily KRB5_KDB_API_VERSION did change and that's enough to know what to compile in. Resolves: https://fedorahosted.org/freeipa/ticket/4861 Signed-off-by: Simo Sorce s...@redhat.com --- daemons/ipa-kdb/ipa_kdb.h| 7 +++ daemons/ipa-kdb/ipa_kdb_principals.c | 7 +++ 2 files changed, 14 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index b92107bab5a259601160a402c54fa8ed440925b3..ba9968bce7cff87f9f4a7fcd056ff7a906ce9e82 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -182,10 +182,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +#if KRB5_KDB_API_VERSION 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, int (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg); +#else +krb5_error_code ipadb_iterate(krb5_context kcontext, + char *match_entry, + int (*func)(krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg, krb5_flags iterflags); +#endif /* POLICY FUNCTIONS */ diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index e158c236eab5c7c5a7c12664dbde5d51cc55406d..600c4ee41c74a2fc154a5372ad3e3b4e8b94a635 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -2087,10 +2087,17 @@ done: return kerr; } +#if KRB5_KDB_API_VERSION 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, int (*func)(krb5_pointer, krb5_db_entry *), krb5_pointer func_arg) +#else +krb5_error_code ipadb_iterate(krb5_context kcontext, + char *match_entry, + int (*func)(krb5_pointer, krb5_db_entry *), + krb5_pointer func_arg, krb5_flags iterflags) +#endif { struct ipadb_context *ipactx; krb5_error_code kerr; ACK. I think we need this patch in both master and ipa-4-1. There is no functional change and I'd like to keep a code in plugins synchronized across branches if possible to avoid maintenance hurdles in future. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel