Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb
Hi, Dne 4.2.2015 v 15:25 David Kupka napsal(a): On 02/03/2015 11:50 AM, thierry bordaz wrote: On 09/17/2014 12:32 PM, thierry bordaz wrote: On 09/01/2014 01:08 PM, Petr Viktorin wrote: On 08/08/2014 03:54 PM, thierry bordaz wrote: Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry Avoid `from ipalib.plugins.baseldap import *` in new code; instead import the module itself and use e.g. `baseldap.LDAPObject`. The stageuser help (docstring) is copied from the user plugin, and discusses things like account lockout and disabling users. It should rather explain what stageuser itself does. (And I don't very much like the Note about the interface being badly designed...) Also decide if the docs should call it staged user or stage user or stageuser. A lot of the code is copied and pasted over from the users plugin. Don't do that. Either import things (e.g. validate_nsaccountlock) from the users plugin, or move the reused code into a shared module. For the `user` object, since so much is the same, it might be best to create a common base class for user and stageuser; and similarly for the Command plugins. The default permissions need different names, and you don't need another copy of the 'non_object' ones. Also, run the makeaci script. Hello, This modified patch is mainly moving common base class into a new plugin: accounts.py. user/stageuser plugin inherits from accounts. It also creates a better description of what are stage user, how to add a new stage user, updates ACI.txt and separate active/stage user managed permissions. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thanks David for the reviews. Here the last patches ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3 to keep them together). The ULC feature is still WIP but these patches look good to me and don't break anything as far as I tested. We should push them now to avoid further rebases. Thierry can then prepare other patches delivering the rest of ULC functionality. Few comments from just reading the patches: 1) I would name the base class baseuser, account does not necessarily mean user account. 2) This is very wrong: -class user_add(LDAPCreate): +class user_add(user, LDAPCreate): You are creating a plugin which is both an object and an command. 3) This is purely subjective, but I don't like the name deleteuser, as it has a verb in it. We usually don't do that and IMHO we shouldn't do that. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0003-2 User life cycle: new stageuser plugin with add verb
On 02/03/2015 11:50 AM, thierry bordaz wrote:
On 09/17/2014 12:32 PM, thierry bordaz wrote:
On 09/01/2014 01:08 PM, Petr Viktorin wrote:
On 08/08/2014 03:54 PM, thierry bordaz wrote:
Hi,
The attached patch is related to 'User Life Cycle'
(https://fedorahosted.org/freeipa/ticket/3813)
It creates a stageuser plugin with a first function stageuser-add.
Stage
user entries are provisioned under 'cn=staged
users,cn=accounts,cn=provisioning,SUFFIX'.
Thanks
thierry
Avoid `from ipalib.plugins.baseldap import *` in new code; instead
import the module itself and use e.g. `baseldap.LDAPObject`.
The stageuser help (docstring) is copied from the user plugin, and
discusses things like account lockout and disabling users. It should
rather explain what stageuser itself does. (And I don't very much
like the Note about the interface being badly designed...)
Also decide if the docs should call it staged user or stage user
or stageuser.
A lot of the code is copied and pasted over from the users plugin.
Don't do that. Either import things (e.g. validate_nsaccountlock)
from the users plugin, or move the reused code into a shared module.
For the `user` object, since so much is the same, it might be best to
create a common base class for user and stageuser; and similarly for
the Command plugins.
The default permissions need different names, and you don't need
another copy of the 'non_object' ones. Also, run the makeaci script.
Hello,
This modified patch is mainly moving common base class into a new
plugin: accounts.py. user/stageuser plugin inherits from accounts.
It also creates a better description of what are stage user, how
to add a new stage user, updates ACI.txt and separate active/stage
user managed permissions.
thanks
thierry
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Thanks David for the reviews. Here the last patches
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The freeipa-tbordaz-0002 patch had trailing whitespaces on few lines so
I'm attaching fixed version (and unchanged patch freeipa-tbordaz-0003-3
to keep them together).
The ULC feature is still WIP but these patches look good to me and don't
break anything as far as I tested.
We should push them now to avoid further rebases. Thierry can then
prepare other patches delivering the rest of ULC functionality.
--
David Kupka
From 0aa8d71acfb6ae63c5cb9a8ab02ad67c7d15a430 Mon Sep 17 00:00:00 2001
From: Thierry bordaz (tbordaz) tbor...@redhat.com
Date: Fri, 8 Aug 2014 09:37:23 +0200
Subject: [PATCH] User Life Cycle: Exclude subtree for ipaUniqueID generation
IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'
Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'
https://fedorahosted.org/freeipa/ticket/3813
---
daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 16
1 file changed, 16 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 93da0f15b8acfc02beddf4e884a735897a7513fe..ffade14672e8cd9e3f3e18d45a0a7095a6341d30 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -64,6 +64,7 @@
#define IPAUUID_GENERATE ipaUuidMagicRegen
#define IPAUUID_FILTER ipaUuidFilter
#define IPAUUID_SCOPEipaUuidScope
+#define IPAUUID_EXCLUDE_SUBTREE ipaUuidExcludeSubtree
#define IPAUUID_ENFORCE ipaUuidEnforce
#define IPAUUID_FEATURE_DESC IPA UUID
@@ -91,6 +92,7 @@ struct configEntry {
Slapi_Filter *slapi_filter;
char *generate;
char *scope;
+char *exclude_subtree;
bool enforce;
};
@@ -537,6 +539,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
}
LOG_CONFIG(-- %s [%s]\n, IPAUUID_SCOPE, entry-scope);
+value = slapi_entry_attr_get_charptr(e, IPAUUID_EXCLUDE_SUBTREE);
+entry-exclude_subtree = value;
+LOG_CONFIG(-- %s [%s]\n, IPAUUID_EXCLUDE_SUBTREE, entry-exclude_subtree);
+
entry-enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
LOG_CONFIG(-- %s [%s]\n,
IPAUUID_ENFORCE, entry-enforce ? True : False);
@@ -640,6 +646,10 @@ ipauuid_free_config_entry(struct configEntry **entry)
slapi_ch_free_string(e-scope);
}
+if (e-exclude_subtree) {
+slapi_ch_free_string(e-exclude_subtree);
+}
+
slapi_ch_free((void **)entry);
}
@@ -918,6 +928,12 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
}
}
+if (cfgentry-exclude_subtree) {
+if (slapi_dn_issuffix(dn, cfgentry-exclude_subtree)) {
+continue;
+}
+}
+
/*
Re: [Freeipa-devel] [PATCH] Fix for 4861
On Tue, 03 Feb 2015, Simo Sorce wrote:
See subject :-)
--
Simo Sorce * Red Hat, Inc. * New York
From 245b307a99722bd4ca61e799f1a2708b6689f773 Mon Sep 17 00:00:00 2001
From: Simo Sorce s...@redhat.com
Date: Tue, 3 Feb 2015 12:06:24 -0500
Subject: [PATCH] Handle DAL ABI change in MIT 1.13
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.
Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.
Resolves: https://fedorahosted.org/freeipa/ticket/4861
Signed-off-by: Simo Sorce s...@redhat.com
---
daemons/ipa-kdb/ipa_kdb.h| 7 +++
daemons/ipa-kdb/ipa_kdb_principals.c | 7 +++
2 files changed, 14 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index
b92107bab5a259601160a402c54fa8ed440925b3..ba9968bce7cff87f9f4a7fcd056ff7a906ce9e82
100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -182,10 +182,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
char **db_args);
krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
+#if KRB5_KDB_API_VERSION 8
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg);
+#else
+krb5_error_code ipadb_iterate(krb5_context kcontext,
+ char *match_entry,
+ int (*func)(krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg, krb5_flags iterflags);
+#endif
/* POLICY FUNCTIONS */
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c
b/daemons/ipa-kdb/ipa_kdb_principals.c
index
e158c236eab5c7c5a7c12664dbde5d51cc55406d..600c4ee41c74a2fc154a5372ad3e3b4e8b94a635
100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -2087,10 +2087,17 @@ done:
return kerr;
}
+#if KRB5_KDB_API_VERSION 8
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg)
+#else
+krb5_error_code ipadb_iterate(krb5_context kcontext,
+ char *match_entry,
+ int (*func)(krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg, krb5_flags iterflags)
+#endif
{
struct ipadb_context *ipactx;
krb5_error_code kerr;
ACK.
I think we need this patch in both master and ipa-4-1. There is no functional
change
and I'd like to keep a code in plugins synchronized across branches if
possible to avoid maintenance hurdles in future.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
