Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
Thanks. ACK, pushed to master. Martin On 08/29/2014 04:36 PM, thierry bordaz wrote: Hello, Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0 The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA scope to 'cn=accounts,SUFFIX' . This was invalid. If you run recent master instance (with that scoping) you may need to reinstall IPA or do the following: ldapmodify -h .. -p 389 -D cn=directory manager -w xxx cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaScope dnaScope: $SUFFIX ipactl restart Thanks Sumit for this catch. The new patch revert the change in dna update. thierry On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened https://fedorahosted.org/389/ticket/47828 to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? Yes, in general this would fix the issue. I'm just wondering if it wouldn't be easier with respect to coding and management to make dnaScope a multi-value attribute? Additionally a fix for IPA master is needed to make trusts work again. Would it be possible to tweak the filter to skip objects in cn=provisioning? E.g. do those objects have the ipaObject objectclass? Yes, stage entries have 'objectclass=ipaObject'. Do you suggest to remove this oc from staged entries, so that the filter will not match it ?. I have to check the impact of stage user not being ipaObject. no, it was just a suggestion. Maybe we can use entryDN like: ((|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*))) bye, Sumit thanks thierry bye, Sumit thanks thierry Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
Hello, Partially reverts commit of 04ea75a7a5109907ede2a0216bd39fac46a992c0 The fix 04ea75a7a5109907ede2a0216bd39fac46a992c0 restricted the DNA scope to 'cn=accounts,SUFFIX' . This was invalid. If you run recent master instance (with that scoping) you may need to reinstall IPA or do the following: ldapmodify -h .. -p 389 -D cn=directory manager -w xxx cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaScope dnaScope: $SUFFIX ipactl restart Thanks Sumit for this catch. The new patch revert the change in dna update. thierry On 08/28/2014 08:58 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 08:41:57PM +0200, thierry bordaz wrote: On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened https://fedorahosted.org/389/ticket/47828 to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? Yes, in general this would fix the issue. I'm just wondering if it wouldn't be easier with respect to coding and management to make dnaScope a multi-value attribute? Additionally a fix for IPA master is needed to make trusts work again. Would it be possible to tweak the filter to skip objects in cn=provisioning? E.g. do those objects have the ipaObject objectclass? Yes, stage entries have 'objectclass=ipaObject'. Do you suggest to remove this oc from staged entries, so that the filter will not match it ?. I have to check the impact of stage user not being ipaObject. no, it was just a suggestion. Maybe we can use entryDN like: ((|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))(!(entrydn=*cn=provisioning*))) bye, Sumit thanks thierry bye, Sumit thanks thierry Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- From 7cd6cbc9bcb970e63712df98b1fc206727e1eb8b Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Fri, 29 Aug 2014 15:35:43 +0200 Subject: [PATCH] User Life Cycle: DNA scopes full SUFFIX In patch 0001-3, the DNA plugins configuration was changed to scope only 'cn=accounts,SUFFIX' This part of the fix was invalid as trust domain object (that need uid/gid allocation) are under 'cn=trust,SUFFIX'. Revert that part of the fix. Waiting on https://fedorahosted.org/389/ticket/47828, to exclude provisioning contains https://fedorahosted.org/freeipa/ticket/3813 --- install/updates/20-dna.update | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update index 719195e9214ac293a3729f389504f39b46cd1aa2..04047dd12787e589953e4f938a03d868de3ae93e 100644 --- a/install/updates/20-dna.update +++ b/install/updates/20-dna.update @@ -2,11
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened https://fedorahosted.org/389/ticket/47828 to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? thanks thierry Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened https://fedorahosted.org/389/ticket/47828 to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? Yes, in general this would fix the issue. I'm just wondering if it wouldn't be easier with respect to coding and management to make dnaScope a multi-value attribute? Additionally a fix for IPA master is needed to make trusts work again. Would it be possible to tweak the filter to skip objects in cn=provisioning? E.g. do those objects have the ipaObject objectclass? bye, Sumit thanks thierry Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/28/2014 08:30 PM, Sumit Bose wrote: On Thu, Aug 28, 2014 at 07:26:51PM +0200, thierry bordaz wrote: On 08/28/2014 06:51 PM, Sumit Bose wrote: On Thu, Aug 14, 2014 at 07:18:40PM +0200, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Hi Thierry, sorry for being late, but cn=accounts,SUFFIX is too strict for the DNA plugin. We need to generate a UID for the trusted domain objects as well which are stored in cn=trusts,SUFFIX. The reason is that AD expects to be able to connect with a special trusted domain account. We generate this account on the fly based on the data in the trusted domain object hence we need a UID here. Since it looks like dnaScope is a SINGLE-VALUE attribute I think dnaScope has to be reverted to SUFFIX. Do you see any drawbacks or a different solution? bye, Sumit Hello Sumit, Thank you so much for having reviewed this fix and your important feedback ! Yes I had the same fear to restrict DNA to 'accounts'. I opened https://fedorahosted.org/389/ticket/47828 to allow to exclude a part of the DIT (here 'cn=provisioning,SUFFIX') from the scope of DNA plugin. Do you think it can address this concern ? Yes, in general this would fix the issue. I'm just wondering if it wouldn't be easier with respect to coding and management to make dnaScope a multi-value attribute? Additionally a fix for IPA master is needed to make trusts work again. Would it be possible to tweak the filter to skip objects in cn=provisioning? E.g. do those objects have the ipaObject objectclass? Yes, stage entries have 'objectclass=ipaObject'. Do you suggest to remove this oc from staged entries, so that the filter will not match it ?. I have to check the impact of stage user not being ipaObject. thanks thierry bye, Sumit thanks thierry Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/18/2014 05:17 PM, thierry bordaz wrote: On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: ... Simply reply to this mail with the revised patch attached. As for attaching patches to the tickets, I've never done it and no one ever complained, so it's not necessary. But attach it if you like :) Good to know :). Thanks It is not required. It is only stated as optional step in http://www.freeipa.org/page/Contribute/Code#Submit_a_patch I personally attach at least the first version to help pairing the ticket with the patch number and better searching in the list. The job is done by my patch submission script, so it is no additional work for me anyway :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/18/2014 05:17 PM, thierry bordaz wrote: On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, [...] Otherwise ACK. We want to push this together with your patch 0002, right? Well, patch 0002 does not require 0001 (and the opposite as well). Although they are both related to ULC, I separated them to make reviews and dev simpler. So if you are ok, I can push 0001 without the immediate need to push 0002. OK Pushed to master: 04ea75a7a5109907ede2a0216bd39fac46a992c0 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tested install and upgrades, everything works as expected. Some whitespace issues: Applying: User Life Cycle: create containers and scoping DS plugins .git/rebase-apply/patch:44: new blank line at EOF. + .git/rebase-apply/patch:111: new blank line at EOF. + warning: 2 lines add whitespace errors. A tiny nitpick: +dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX CN is case-insensitive, but the capital D does stand out. Otherwise ACK. We want to push this together with your patch 0002, right? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tested install and upgrades, everything works as expected. :-) . Thanks for your tests. Some whitespace issues: Applying: User Life Cycle: create containers and scoping DS plugins .git/rebase-apply/patch:44: new blank line at EOF. + .git/rebase-apply/patch:111: new blank line at EOF. + warning: 2 lines add whitespace errors. A tiny nitpick: +dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX CN is case-insensitive, but the capital D does stand out. Good ! This extra lines sounds a familiar issue to me ;). I fixed this and I removed the extra lines and lowercase. Basically it creates a new patch freeipa-tbordaz-0001-3-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch. How should I proceed here, send a new review on freeipa-devel and/or attache this patch (1.3) to the bug ? Otherwise ACK. We want to push this together with your patch 0002, right? Well, patch 0002 does not require 0001 (and the opposite as well). Although they are both related to ULC, I separated them to make reviews and dev simpler. So if you are ok, I can push 0001 without the immediate need to push 0002. thanks again thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/18/2014 05:03 PM, thierry bordaz wrote: On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tested install and upgrades, everything works as expected. :-) . Thanks for your tests. Some whitespace issues: Applying: User Life Cycle: create containers and scoping DS plugins .git/rebase-apply/patch:44: new blank line at EOF. + .git/rebase-apply/patch:111: new blank line at EOF. + warning: 2 lines add whitespace errors. A tiny nitpick: +dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX CN is case-insensitive, but the capital D does stand out. Good ! This extra lines sounds a familiar issue to me ;). I fixed this and I removed the extra lines and lowercase. Basically it creates a new patch freeipa-tbordaz-0001-3-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch. How should I proceed here, send a new review on freeipa-devel and/or attache this patch (1.3) to the bug ? Simply reply to this mail with the revised patch attached. As for attaching patches to the tickets, I've never done it and no one ever complained, so it's not necessary. But attach it if you like :) Otherwise ACK. We want to push this together with your patch 0002, right? Well, patch 0002 does not require 0001 (and the opposite as well). Although they are both related to ULC, I separated them to make reviews and dev simpler. So if you are ok, I can push 0001 without the immediate need to push 0002. OK -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
On 08/18/2014 05:10 PM, Petr Viktorin wrote: On 08/18/2014 05:03 PM, thierry bordaz wrote: On 08/18/2014 04:06 PM, Petr Viktorin wrote: On 08/14/2014 07:18 PM, thierry bordaz wrote: Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry Looks better, thanks! I've tested install and upgrades, everything works as expected. :-) . Thanks for your tests. Some whitespace issues: Applying: User Life Cycle: create containers and scoping DS plugins .git/rebase-apply/patch:44: new blank line at EOF. + .git/rebase-apply/patch:111: new blank line at EOF. + warning: 2 lines add whitespace errors. A tiny nitpick: +dn: cn=Deleted users,cn=accounts,cn=provisioning,$SUFFIX CN is case-insensitive, but the capital D does stand out. Good ! This extra lines sounds a familiar issue to me ;). I fixed this and I removed the extra lines and lowercase. Basically it creates a new patch freeipa-tbordaz-0001-3-User-Life-Cycle-new-containers-and-DS-plugin-scope.patch. How should I proceed here, send a new review on freeipa-devel and/or attache this patch (1.3) to the bug ? Simply reply to this mail with the revised patch attached. As for attaching patches to the tickets, I've never done it and no one ever complained, so it's not necessary. But attach it if you like :) Good to know :). Thanks Otherwise ACK. We want to push this together with your patch 0002, right? Well, patch 0002 does not require 0001 (and the opposite as well). Although they are both related to ULC, I separated them to make reviews and dev simpler. So if you are ok, I can push 0001 without the immediate need to push 0002. OK From 464bdcee06a647fe60144e00206f740822c9fee8 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- install/updates/10-uniqueness.update | 26 ++ install/updates/20-dna.update | 4 +++- install/updates/20-syncrepl.update | 6 ++ install/updates/30-provisioning.update | 21 + install/updates/Makefile.am| 1 + 5 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 install/updates/30-provisioning.update diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update index a336d3480866f74b82b35280e6ed788f1abb992f..c9641c47fabdffdc278216b38abd606745781d41 100644 --- a/install/updates/10-uniqueness.update +++ b/install/updates/10-uniqueness.update @@ -48,3 +48,29 @@ default:nsslapd-plugin-depends-on-type: database default:nsslapd-pluginId: NSUniqueAttr default:nsslapd-pluginVersion: 1.1.0 default:nsslapd-pluginVendor: Fedora Project + +# uid uniqueness scopes Active/Delete containers +dn: cn=attribute uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:nsslapd-pluginenabled:off +add:nsslapd-pluginenabled:on + +# krbPrincipalName uniqueness scopes Active/Delete containers +dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' + +# krbCanonicalName uniqueness scopes Active/Delete containers +dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' + +# ipaUniqueID uniqueness scopes Active/Delete containers +dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update index 04047dd12787e589953e4f938a03d868de3ae93e..719195e9214ac293a3729f389504f39b46cd1aa2 100644 --- a/install/updates/20-dna.update +++ b/install/updates/20-dna.update @@ -2,9 +2,11