Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
On 02/22/2013 01:36 PM, Martin Kosek wrote: On 02/18/2013 10:00 PM, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob ACK, works for me. Pushed to master, ipa-3-1. Martin I just noticed an issue with the ORDERING in dirsrv errors log: [26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTSecurityIdentifier] [26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTTrustedDomainSID] [26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTDomainGUID] Reopening the ticket. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
On 02/18/2013 10:00 PM, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob ACK, works for me. Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
On 02/19/2013 08:23 PM, Simo Sorce wrote: On Tue, 2013-02-19 at 13:32 -0500, Rob Crittenden wrote: Jan Cholasta wrote: Hi, On 18.2.2013 22:00, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob The patch looks good, but I think errors like this will pop up from time to time, because we have to maintain the same thing in two places - the installation LDIFs and update files. Maybe we should start thinking about merging these two somehow, e.g. using the LDIFs for both installation and updates, with directives for the updater in specially formatted comments. Honza This idea came up long, long ago when we first added the updater very early in v2. The problem, as I recall, is that some schema is needed during the install so we need to ship it in ldif format, and the idea of splitting it didn't appeal to us. So perhaps what we should endeavor to do is add all new schema via updates and only update the schema files themselves if the schema is needed for a fresh install (since updates are done last). This also puts more schema into 99user.ldif which may or may not be desirable. Ron another option is to keep putting all updates only in schema files, and then have the updater validate the schema files. Validation would be: 1. Download schema from server (we already do this in the framework so it comes for free) 2. parse the schema files and check if each attribute and objectclass is present and in the correct form. 3. if any attribute is missing, we add it 4. if any attribute has been changed, we change it 5. same for object classes. This would allow us to keep everything just in schema files, and for now only updates would end up in 99.ldif I know there is also work in 389ds to improve schema validation and handling, so there is a chance in future we will have online interfaces to put data in multiple files w/o lumping everything in 99.ldif So by keeping stuff in schema files rather than arbitrary update files we are also sort of future proof. Finally keeping data in schema files instead of spreading it in updates should make it easier to keep an eye on the whole schema. The main issue I see is that this approach needs new code to analyze and compare schema files, however that shouldn't be overly hard. Simo. I think this is a great idea. Having schema updates on 2 or more separate spaces is error prone. attributeTypes or objectClasses update files may be confusing as we often have 2 and more replace: directives when we update objectClasses or attributeTypes more that one time. As for the LDIF file parsing, we could also use python-ldap's convenience classes which will make the comparing easier. I created a ticket to address this effort: https://fedorahosted.org/freeipa/ticket/3454 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
Hi, On 18.2.2013 22:00, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob The patch looks good, but I think errors like this will pop up from time to time, because we have to maintain the same thing in two places - the installation LDIFs and update files. Maybe we should start thinking about merging these two somehow, e.g. using the LDIFs for both installation and updates, with directives for the updater in specially formatted comments. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
Jan Cholasta wrote: Hi, On 18.2.2013 22:00, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob The patch looks good, but I think errors like this will pop up from time to time, because we have to maintain the same thing in two places - the installation LDIFs and update files. Maybe we should start thinking about merging these two somehow, e.g. using the LDIFs for both installation and updates, with directives for the updater in specially formatted comments. Honza This idea came up long, long ago when we first added the updater very early in v2. The problem, as I recall, is that some schema is needed during the install so we need to ship it in ldif format, and the idea of splitting it didn't appeal to us. So perhaps what we should endeavor to do is add all new schema via updates and only update the schema files themselves if the schema is needed for a fresh install (since updates are done last). This also puts more schema into 99user.ldif which may or may not be desirable. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
On Tue, 2013-02-19 at 13:32 -0500, Rob Crittenden wrote: Jan Cholasta wrote: Hi, On 18.2.2013 22:00, Rob Crittenden wrote: An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob The patch looks good, but I think errors like this will pop up from time to time, because we have to maintain the same thing in two places - the installation LDIFs and update files. Maybe we should start thinking about merging these two somehow, e.g. using the LDIFs for both installation and updates, with directives for the updater in specially formatted comments. Honza This idea came up long, long ago when we first added the updater very early in v2. The problem, as I recall, is that some schema is needed during the install so we need to ship it in ldif format, and the idea of splitting it didn't appeal to us. So perhaps what we should endeavor to do is add all new schema via updates and only update the schema files themselves if the schema is needed for a fresh install (since updates are done last). This also puts more schema into 99user.ldif which may or may not be desirable. Ron another option is to keep putting all updates only in schema files, and then have the updater validate the schema files. Validation would be: 1. Download schema from server (we already do this in the framework so it comes for free) 2. parse the schema files and check if each attribute and objectclass is present and in the correct form. 3. if any attribute is missing, we add it 4. if any attribute has been changed, we change it 5. same for object classes. This would allow us to keep everything just in schema files, and for now only updates would end up in 99.ldif I know there is also work in 389ds to improve schema validation and handling, so there is a chance in future we will have online interfaces to put data in multiple files w/o lumping everything in 99.ldif So by keeping stuff in schema files rather than arbitrary update files we are also sort of future proof. Finally keeping data in schema files instead of spreading it in updates should make it easier to keep an eye on the whole schema. The main issue I see is that this approach needs new code to analyze and compare schema files, however that shouldn't be overly hard. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1087 Some missing v3 schema on upgrades
An objectclass and attribute are not being added on upgrades. Missing these causes the UI to not work. I also noticed a typo in the ordering of a number of the trust attributes so fix those as well. rob From 2fc9212767d572aa8f0c42acf9cac523d5f7a12e Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 18 Feb 2013 08:42:59 -0500 Subject: [PATCH] Add missing v3 schema on upgrades, fix typo in schema. Add mising ipaExternalMember attribute and ipaExternalGroup objectclass. Replacing mis-spelled ORDERING value on new install and upgrades. https://fedorahosted.org/freeipa/ticket/3398 --- install/share/60basev3.ldif| 18 +- install/updates/10-60basev3.update | 2 ++ install/updates/60-trusts.update | 31 ++- 3 files changed, 33 insertions(+), 18 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 1564f7bd12bb1906239adc3e5bc38c94279b73a6..63489aea159db23e01bfe4ead6b28b7950e06d6e 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -5,16 +5,16 @@ ## dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentifier' DESC 'NT Security ID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.23 NAME 'ipaNTTrustedDomainSID' DESC 'NT Trusted Domain Security ID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.3 NAME 'ipaNTFlatName' DESC 'Flat/Netbios Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentifier' DESC 'NT Security ID' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.23 NAME 'ipaNTTrustedDomainSID' DESC 'NT Trusted Domain Security ID' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.3 NAME 'ipaNTFlatName' DESC 'Flat/Netbios Name' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.4 NAME 'ipaNTFallbackPrimaryGroup' DESC 'Fallback Group to set the Primary group Security Identifier for users with UPGs' SUP distinguishedName X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY octetStringMatch OREDRING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.6 NAME 'ipaNTLogonScript' DESC 'User Logon Script Name' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User Profile Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.10 NAME 'ipaNTDomainGUID' DESC 'NT Domain GUID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.6 NAME 'ipaNTLogonScript' DESC 'User