Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Alexander Bokovoy 

On Thu, 16 Jun 2016, Lukas Slebodnik wrote:

On (16/06/16 12:00), Petr Spacek wrote:

Hello,

Require 389-ds-base >= 1.3.5.6

Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html

https://fedorahosted.org/freeipa/ticket/2008

--
Petr^2 Spacek



From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 16 Jun 2016 11:58:56 +0200
Subject: [PATCH] Require 389-ds-base >= 1.3.5.6

Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html

https://fedorahosted.org/freeipa/ticket/2008
---
freeipa.spec.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -42,7 +42,7 @@ Source0:freeipa-%{version}.tar.gz
BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

%if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5
+BuildRequires:  389-ds-base-devel >= 1.3.5.6

I know that patch was pushed and it fixed your problem.
but I am little bit curious why did you need to change
version in BuildRequires?

If I understand correctly FreeIPA complies well with 1.3.5.
The only problem was at runtime.

We actually need 1.3.5.6 for slapi-nis and pwd extop plugins to build as
we are using all new pre-extop operation callback.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Petr Spacek 
On 16.6.2016 15:58, Lukas Slebodnik wrote:
> On (16/06/16 12:00), Petr Spacek wrote:
>> Hello,
>>
>> Require 389-ds-base >= 1.3.5.6
>>
>> Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>>
>> https://fedorahosted.org/freeipa/ticket/2008
>>
>> -- 
>> Petr^2 Spacek
> 
>>From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001
>> From: Petr Spacek 
>> Date: Thu, 16 Jun 2016 11:58:56 +0200
>> Subject: [PATCH] Require 389-ds-base >= 1.3.5.6
>>
>> Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>>
>> https://fedorahosted.org/freeipa/ticket/2008
>> ---
>> freeipa.spec.in | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/freeipa.spec.in b/freeipa.spec.in
>> index 
>> d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f
>>  100644
>> --- a/freeipa.spec.in
>> +++ b/freeipa.spec.in
>> @@ -42,7 +42,7 @@ Source0:freeipa-%{version}.tar.gz
>> BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} 
>> -n)
>>
>> %if ! %{ONLY_CLIENT}
>> -BuildRequires:  389-ds-base-devel >= 1.3.5
>> +BuildRequires:  389-ds-base-devel >= 1.3.5.6
> I know that patch was pushed and it fixed your problem.
> but I am little bit curious why did you need to change
> version in BuildRequires?
> 
> If I understand correctly FreeIPA complies well with 1.3.5.
> The only problem was at runtime.

Right, I did not bother to test it. Feel free to submit correcting patch.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Lukas Slebodnik 
On (16/06/16 12:00), Petr Spacek wrote:
>Hello,
>
>Require 389-ds-base >= 1.3.5.6
>
>Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
>See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>
>https://fedorahosted.org/freeipa/ticket/2008
>
>-- 
>Petr^2 Spacek

>From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001
>From: Petr Spacek 
>Date: Thu, 16 Jun 2016 11:58:56 +0200
>Subject: [PATCH] Require 389-ds-base >= 1.3.5.6
>
>Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
>See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>
>https://fedorahosted.org/freeipa/ticket/2008
>---
> freeipa.spec.in | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index 
>d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f
> 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -42,7 +42,7 @@ Source0:freeipa-%{version}.tar.gz
> BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> 
> %if ! %{ONLY_CLIENT}
>-BuildRequires:  389-ds-base-devel >= 1.3.5
>+BuildRequires:  389-ds-base-devel >= 1.3.5.6
I know that patch was pushed and it fixed your problem.
but I am little bit curious why did you need to change
version in BuildRequires?

If I understand correctly FreeIPA complies well with 1.3.5.
The only problem was at runtime.

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Martin Basti 



On 16.06.2016 12:21, Ludwig Krispenz wrote:


On 06/16/2016 12:14 PM, Petr Spacek wrote:

On 16.6.2016 12:12, Ludwig Krispenz wrote:

On 06/16/2016 12:00 PM, Petr Spacek wrote:

Hello,

Require 389-ds-base >= 1.3.5.6

Old DS handles LDAP filters incorrectly

no. Old DS handles filters strictly as documented in the admin guide,
requiring access rights to each attribute used in the search filter. 
This was
known and applications had to adapt, in your case there would have 
had to be

two searches one with the (&()()) filter and one with (|()()()()).
You know, it is quite hard to adapt when your application rely on one 
SyncRepl

session ...

Anyway, feel free to send patch with rephrased commit message if you 
wish, I'm

okay with superseding my patch with yours.

no, it's fine, only sometimes I need to defend DS a bit


Petr^2 Spacek


This was improved in the latest version and componets withou access are
ignored in filter evaluation to avoid the problems you did run into.

otherwise your fix is ok

Ludwig

and breaks bind-dyndb-ldap.
See 
https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html


https://fedorahosted.org/freeipa/ticket/2008



ACK
Pushed to master: 85d083c36651b15457af75e009f83bc6bb8114b0

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Ludwig Krispenz 


On 06/16/2016 12:14 PM, Petr Spacek wrote:

On 16.6.2016 12:12, Ludwig Krispenz wrote:

On 06/16/2016 12:00 PM, Petr Spacek wrote:

Hello,

Require 389-ds-base >= 1.3.5.6

Old DS handles LDAP filters incorrectly

no. Old DS handles filters strictly as documented in the admin guide,
requiring access rights to each attribute used in the search filter. This was
known and applications had to adapt, in your case there would have had to be
two searches one with the (&()()) filter and one with (|()()()()).

You know, it is quite hard to adapt when your application rely on one SyncRepl
session ...

Anyway, feel free to send patch with rephrased commit message if you wish, I'm
okay with superseding my patch with yours.

no, it's fine, only sometimes I need to defend DS a bit


Petr^2 Spacek


This was improved in the latest version and componets withou access are
ignored in filter evaluation to avoid the problems you did run into.

otherwise your fix is ok

Ludwig

and breaks bind-dyndb-ldap.
See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html

https://fedorahosted.org/freeipa/ticket/2008


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6

2016-06-16 Thread Petr Spacek 
On 16.6.2016 12:12, Ludwig Krispenz wrote:
> 
> On 06/16/2016 12:00 PM, Petr Spacek wrote:
>> Hello,
>>
>> Require 389-ds-base >= 1.3.5.6
>>
>> Old DS handles LDAP filters incorrectly
> no. Old DS handles filters strictly as documented in the admin guide,
> requiring access rights to each attribute used in the search filter. This was
> known and applications had to adapt, in your case there would have had to be
> two searches one with the (&()()) filter and one with (|()()()()).

You know, it is quite hard to adapt when your application rely on one SyncRepl
session ...

Anyway, feel free to send patch with rephrased commit message if you wish, I'm
okay with superseding my patch with yours.

Petr^2 Spacek

> This was improved in the latest version and componets withou access are
> ignored in filter evaluation to avoid the problems you did run into.
> 
> otherwise your fix is ok
> 
> Ludwig
>> and breaks bind-dyndb-ldap.
>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html
>>
>> https://fedorahosted.org/freeipa/ticket/2008

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code