[Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Martin Kosek
Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring. I was working with Ludwig, there is a problem in the way how deref plugin checks the access to the referenced entry. Instead of checking the

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Jakub Hrozek
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring. It's not just SSSD-DS communication, any client, including ldapsearch

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Ludwig Krispenz
On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring. It's not just SSSD-DS

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Martin Kosek
On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring. It's not just SSSD-DS

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Ludwig Krispenz
On 06/20/2014 04:45 PM, Martin Kosek wrote: On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Simo Sorce
On Fri, 2014-06-20 at 16:45 +0200, Martin Kosek wrote: There is no impact on clients connected to the fixed DS. This is the scenario I am concerned about: User has RHEL/CentOS 6.x IPA server and wants to try the new nice and shiny FreeIPA 4.0. He installs the FreeIPA 4.0 replica (with fixed

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Jakub Hrozek
On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote: On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Martin Kosek
On 06/20/2014 05:51 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote: On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: ... I think we should just make a note to self to allow users to fix the ACIs