Re: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin
On Mon, 13 Jun 2016, thierry bordaz wrote: On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? I'm OK with 40, yes. The precedence applies to all callbacks, not just to preextendedop, so a BIND callback would be affected too. You also need to make sure we depend on the updated 389-ds-base package version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. Yep, thanks. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin
On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? You also need to make sure we depend on the updated 389-ds-base package version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. thanks for the review thierry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin
On Mon, 13 Jun 2016, thierry bordaz wrote: This is the fix for https://fedorahosted.org/freeipa/ticket/5944 From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. You also need to make sure we depend on the updated 389-ds-base package version. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin
This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 8 Jun 2016 14:03:42 +0200 Subject: [PATCH] Make sure ipapwd_extop takes precedence over passwd_modify_extop DS core server provides a default plugin (passwd_modify_extop) to handle 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) IPA delivers ipa_pwd_extop plugin that should take precedence over the default DS plugin (passwd_modify_extop) --- install/updates/10-ipapwd.update | 9 + 1 file changed, 9 insertions(+) create mode 100644 install/updates/10-ipapwd.update diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update new file mode 100644 index 000..d9bffa2 --- /dev/null +++ b/install/updates/10-ipapwd.update @@ -0,0 +1,9 @@ +dn: cn=ipa_pwd_extop,cn=plugins,cn=config +# DS core server provides a default plugin (passwd_modify_extop) to handle +# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) +# the pluginprecedence of the passwd_modify_extop is 50 (default value) +# +# IPA delivers ipa_pwd_extop plugin to handle that extended op +# we need to make sure ipa_pwd_extop is called and so to set a lower +# precedence value +add:nsslapd-pluginprecedence: 49 -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code