Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

[Alexander Bokovoy]

On Thu, 16 Jun 2016, thierry bordaz wrote:

From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Thu, 16 Jun 2016 16:28:03 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)

IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence
---
install/share/schema_compat.uldif   | 2 +-
install/updates/10-ipapwd.update| 9 +
install/updates/10-schema_compat.update | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/share/schema_compat.uldif 
b/install/share/schema_compat.uldif
index a3d412f..66f8ea1 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 49
+default:nsslapd-pluginprecedence: 40
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginbetxn: on
default:nsslapd-pluginvendor: redhat.com
diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update
new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49
diff --git a/install/updates/10-schema_compat.update 
b/install/updates/10-schema_compat.update
index 2d257a3..e4c257d 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
-add:nsslapd-pluginprecedence: 49
+add:nsslapd-pluginprecedence: 40

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: 
%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
--
2.5.0


ACK. A build override with 389-ds-base 1.3.5.6-1.fc24 is also created.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

[Martin Basti]

On 16.06.2016 22:29, Alexander Bokovoy wrote:

On Thu, 16 Jun 2016, thierry bordaz wrote:
The version DS 1.3.5.6 is now available. Here is the second version 
of the patch taking into account lower precedence for Schema Compat




On 06/13/2016 06:01 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:



On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:

This is the fix for https://fedorahosted.org/freeipa/ticket/5944


From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 
00:00:00 2001

From: Thierry Bordaz 
Date: Wed, 8 Jun 2016 14:03:42 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to 
handle
1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)


IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)
---
install/updates/10-ipapwd.update | 9 +
1 file changed, 9 insertions(+)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/updates/10-ipapwd.update 
b/install/updates/10-ipapwd.update

new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) 
to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default 
value)

+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a 
lower

+# precedence value
+add:nsslapd-pluginprecedence: 49

Here is the problem: slapi-nis is 49 as well and it should be before
ipa_pwd_extop.

You need to update install/share/schema_compat.uldif and
install/updates/10-schema_compat.update to get slapi-nis before
ipa_pwd_extop.
ipapwd_plugin registers extendedop callback but slapi-nis does not. 
So I do not think they will "fight" for precedence.
Even if slapi-nis register perextendedop they will be on different 
lists and it should not create any issue.


Now I understand that slapi-nis must run with a precedence that 
should be lower than most of the others plugins. Currently it is 
49, are you ok with a value like 40 ?

I'm OK with 40, yes. The precedence applies to all callbacks, not just
to preextendedop, so a BIND callback would be affected too.

You also need to make sure we depend on the updated 389-ds-base 
package

version.


Good !
Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
available, I will resend the review when it will be available.

Yep, thanks.






From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Thu, 16 Jun 2016 16:28:03 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)


IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence
---
install/share/schema_compat.uldif   | 2 +-
install/updates/10-ipapwd.update| 9 +
install/updates/10-schema_compat.update | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/share/schema_compat.uldif 
b/install/share/schema_compat.uldif

index a3d412f..66f8ea1 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 49
+default:nsslapd-pluginprecedence: 40
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginbetxn: on
default:nsslapd-pluginvendor: redhat.com
diff --git a/install/updates/10-ipapwd.update 
b/install/updates/10-ipapwd.update

new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) to 
handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)

+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49
diff --git a/install/updates/10-schema_compat.update 
b/install/updates/10-schema_compat.update

index 2d257a3..e4c257d 100644
--- 

Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

[Alexander Bokovoy]

On Thu, 16 Jun 2016, thierry bordaz wrote:
The version DS 1.3.5.6 is now available. Here is the second version of 
the patch taking into account lower precedence for Schema Compat




On 06/13/2016 06:01 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:



On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:

This is the fix for https://fedorahosted.org/freeipa/ticket/5944


From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 
00:00:00 2001

From: Thierry Bordaz 
Date: Wed, 8 Jun 2016 14:03:42 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) 
to handle
1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)


IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)
---
install/updates/10-ipapwd.update | 9 +
1 file changed, 9 insertions(+)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/updates/10-ipapwd.update 
b/install/updates/10-ipapwd.update

new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin 
(passwd_modify_extop) to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 
(default value)

+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49

Here is the problem: slapi-nis is 49 as well and it should be before
ipa_pwd_extop.

You need to update install/share/schema_compat.uldif and
install/updates/10-schema_compat.update to get slapi-nis before
ipa_pwd_extop.
ipapwd_plugin registers extendedop callback but slapi-nis does 
not. So I do not think they will "fight" for precedence.
Even if slapi-nis register perextendedop they will be on different 
lists and it should not create any issue.


Now I understand that slapi-nis must run with a precedence that 
should be lower than most of the others plugins. Currently it is 
49, are you ok with a value like 40 ?

I'm OK with 40, yes. The precedence applies to all callbacks, not just
to preextendedop, so a BIND callback would be affected too.


You also need to make sure we depend on the updated 389-ds-base package
version.


Good !
Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
available, I will resend the review when it will be available.

Yep, thanks.






From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Thu, 16 Jun 2016 16:28:03 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)

IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence
---
install/share/schema_compat.uldif   | 2 +-
install/updates/10-ipapwd.update| 9 +
install/updates/10-schema_compat.update | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/share/schema_compat.uldif 
b/install/share/schema_compat.uldif
index a3d412f..66f8ea1 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 49
+default:nsslapd-pluginprecedence: 40
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginbetxn: on
default:nsslapd-pluginvendor: redhat.com
diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update
new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49
diff --git a/install/updates/10-schema_compat.update 
b/install/updates/10-schema_compat.update
index 2d257a3..e4c257d 100644
--- a/install/updates/10-schema_compat.update
+++ 

Re: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin

[thierry bordaz]

The version DS 1.3.5.6 is now available. Here is the second version of 
the patch taking into account lower precedence for Schema Compat




On 06/13/2016 06:01 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:



On 06/13/2016 04:57 PM, Alexander Bokovoy wrote:

On Mon, 13 Jun 2016, thierry bordaz wrote:

This is the fix for https://fedorahosted.org/freeipa/ticket/5944


From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 
2001

From: Thierry Bordaz 
Date: Wed, 8 Jun 2016 14:03:42 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to 
handle
1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)


IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)
---
install/updates/10-ipapwd.update | 9 +
1 file changed, 9 insertions(+)
create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/updates/10-ipapwd.update 
b/install/updates/10-ipapwd.update

new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) 
to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op 
(https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default 
value)

+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49

Here is the problem: slapi-nis is 49 as well and it should be before
ipa_pwd_extop.

You need to update install/share/schema_compat.uldif and
install/updates/10-schema_compat.update to get slapi-nis before
ipa_pwd_extop.
ipapwd_plugin registers extendedop callback but slapi-nis does not. 
So I do not think they will "fight" for precedence.
Even if slapi-nis register perextendedop they will be on different 
lists and it should not create any issue.


Now I understand that slapi-nis must run with a precedence that 
should be lower than most of the others plugins. Currently it is 49, 
are you ok with a value like 40 ?

I'm OK with 40, yes. The precedence applies to all callbacks, not just
to preextendedop, so a BIND callback would be affected too.


You also need to make sure we depend on the updated 389-ds-base package
version.


Good !
Now with this dependency we should wait for 389-ds 1.3.5.5 to be 
available, I will resend the review when it will be available.

Yep, thanks.



>From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Thu, 16 Jun 2016 16:28:03 +0200
Subject: [PATCH] Make sure ipapwd_extop takes precedence over
 passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)

IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence
---
 install/share/schema_compat.uldif   | 2 +-
 install/updates/10-ipapwd.update| 9 +
 install/updates/10-schema_compat.update | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 install/updates/10-ipapwd.update

diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif
index a3d412f..66f8ea1 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
 # We need to run schema-compat pre-bind callback before
 # other IPA pre-bind callbacks to make sure bind DN is
 # rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 49
+default:nsslapd-pluginprecedence: 40
 default:nsslapd-pluginversion: 0.8
 default:nsslapd-pluginbetxn: on
 default:nsslapd-pluginvendor: redhat.com
diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update
new file mode 100644
index 000..d9bffa2
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 2d257a3..e4c257d 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -74,7 +74,7 @@ dn: