Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin
On Thu, 16 Jun 2016, thierry bordaz wrote: From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Thu, 16 Jun 2016 16:28:03 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) In addition make sure that slapi-nis has a low precedence --- install/share/schema_compat.uldif | 2 +- install/updates/10-ipapwd.update| 9 + install/updates/10-schema_compat.update | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index a3d412f..66f8ea1 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is # rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 49 +default:nsslapd-pluginprecedence: 40 default:nsslapd-pluginversion: 0.8 default:nsslapd-pluginbetxn: on default:nsslapd-pluginvendor: redhat.com diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 2d257a3..e4c257d 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is # rewritten to the original entry if needed -add:nsslapd-pluginprecedence: 49 +add:nsslapd-pluginprecedence: 40 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -- 2.5.0 ACK. A build override with 389-ds-base 1.3.5.6-1.fc24 is also created. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin
On 16.06.2016 22:29, Alexander Bokovoy wrote: On Thu, 16 Jun 2016, thierry bordaz wrote: The version DS 1.3.5.6 is now available. Here is the second version of the patch taking into account lower precedence for Schema Compat On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? I'm OK with 40, yes. The precedence applies to all callbacks, not just to preextendedop, so a BIND callback would be affected too. You also need to make sure we depend on the updated 389-ds-base package version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. Yep, thanks. From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Thu, 16 Jun 2016 16:28:03 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) In addition make sure that slapi-nis has a low precedence --- install/share/schema_compat.uldif | 2 +- install/updates/10-ipapwd.update| 9 + install/updates/10-schema_compat.update | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index a3d412f..66f8ea1 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is # rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 49 +default:nsslapd-pluginprecedence: 40 default:nsslapd-pluginversion: 0.8 default:nsslapd-pluginbetxn: on default:nsslapd-pluginvendor: redhat.com diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 2d257a3..e4c257d 100644 ---
Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin
On Thu, 16 Jun 2016, thierry bordaz wrote: The version DS 1.3.5.6 is now available. Here is the second version of the patch taking into account lower precedence for Schema Compat On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? I'm OK with 40, yes. The precedence applies to all callbacks, not just to preextendedop, so a BIND callback would be affected too. You also need to make sure we depend on the updated 389-ds-base package version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. Yep, thanks. From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Thu, 16 Jun 2016 16:28:03 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) In addition make sure that slapi-nis has a low precedence --- install/share/schema_compat.uldif | 2 +- install/updates/10-ipapwd.update| 9 + install/updates/10-schema_compat.update | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index a3d412f..66f8ea1 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is # rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 49 +default:nsslapd-pluginprecedence: 40 default:nsslapd-pluginversion: 0.8 default:nsslapd-pluginbetxn: on default:nsslapd-pluginvendor: redhat.com diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 2d257a3..e4c257d 100644 --- a/install/updates/10-schema_compat.update +++
Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin
The version DS 1.3.5.6 is now available. Here is the second version of the patch taking into account lower precedence for Schema Compat On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? I'm OK with 40, yes. The precedence applies to all callbacks, not just to preextendedop, so a BIND callback would be affected too. You also need to make sure we depend on the updated 389-ds-base package version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. Yep, thanks. >From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Thu, 16 Jun 2016 16:28:03 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) In addition make sure that slapi-nis has a low precedence --- install/share/schema_compat.uldif | 2 +- install/updates/10-ipapwd.update| 9 + install/updates/10-schema_compat.update | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index a3d412f..66f8ea1 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is # rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 49 +default:nsslapd-pluginprecedence: 40 default:nsslapd-pluginversion: 0.8 default:nsslapd-pluginbetxn: on default:nsslapd-pluginvendor: redhat.com diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 2d257a3..e4c257d 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -74,7 +74,7 @@ dn: