Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/22/2010 05:08 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel Ok, your patch certainly won't hurt anything. Ack. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
Pavel Zuna wrote: On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel Ok, your patch certainly won't hurt anything. Ack. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/20/2010 11:42 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? We could do that, but it's always possible to delete the attribute using ldapmodify or some other tool. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
Pavel Zuna wrote: On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel I see your point. One can do 'ipa config-mod --searchtimelimit=` and blam, everything stops working. This still seems like a bit of a cover-up fix for that. Should we prevent these attributes from being removed? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/14/2010 03:30 PM, Rob Crittenden wrote: Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob Yes, because get_ipa_config will return defaults for time and search limits only when the whole ipaConfig entry isn't found. I reworked the patch, so that defaults are always returned by get_ipa_config, but I left changes from the previous version, because it doesn't hurt anything and is a (very little) bit safer. New version attached. Pavel pzuna-freeipa-0033-2-limitdefaults.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
I have noticed a change in behavior with this ... BEFORE: --sizelimit=0 returned 0 entries now , it is returning all the entries ... obviously 0 now assumes default ... what is the default ?? Thanks Jenny Adam Young wrote: On 10/14/2010 09:25 AM, Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
On 10/14/2010 09:25 AM, Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
Pavel Zuna wrote: There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel Is this needed since get_ipa_config() will always return something for time and search limits? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.
There was no default value set even though we were using config.get and it was throwing exceptions if someone deleted one of the related config values. Pavel >From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Thu, 14 Oct 2010 10:54:24 -0400 Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches. --- ipaserver/plugins/ldap2.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 096d3a3..1d18bbb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder): if time_limit is None or size_limit is None: (cdn, config) = self.get_ipa_config() if time_limit is None: -time_limit = config.get('ipasearchtimelimit')[0] +time_limit = config.get('ipasearchtimelimit', [-1])[0] if size_limit is None: -size_limit = config.get('ipasearchrecordslimit')[0] +size_limit = config.get('ipasearchrecordslimit', [0])[0] if not isinstance(size_limit, int): size_limit = int(size_limit) if not isinstance(time_limit, float): -- 1.7.1.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel