Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-22 Thread Adam Young 

On 10/22/2010 05:08 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/20/2010 11:42 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get
and
it was throwing exceptions if someone deleted one of the related
config
values.

Pavel


Is this needed since get_ipa_config() will always return something 
for

time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search
limits only when the whole ipaConfig entry isn't found.

I reworked the patch, so that defaults are always returned by
get_ipa_config, but I left changes from the previous version, 
because it

doesn't hurt anything and is a (very little) bit safer.

New version attached.

Pavel


I see your point. One can do 'ipa config-mod --searchtimelimit=` and
blam, everything stops working. This still seems like a bit of a
cover-up fix for that. Should we prevent these attributes from being
removed?


We could do that, but it's always possible to delete the attribute using
ldapmodify or some other tool.



rob


Pavel


Ok, your patch certainly won't hurt anything. Ack.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-22 Thread Rob Crittenden 

Pavel Zuna wrote:

On 10/20/2010 11:42 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get
and
it was throwing exceptions if someone deleted one of the related
config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search
limits only when the whole ipaConfig entry isn't found.

I reworked the patch, so that defaults are always returned by
get_ipa_config, but I left changes from the previous version, because it
doesn't hurt anything and is a (very little) bit safer.

New version attached.

Pavel


I see your point. One can do 'ipa config-mod --searchtimelimit=` and
blam, everything stops working. This still seems like a bit of a
cover-up fix for that. Should we prevent these attributes from being
removed?


We could do that, but it's always possible to delete the attribute using
ldapmodify or some other tool.



rob


Pavel


Ok, your patch certainly won't hurt anything. Ack.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-21 Thread Pavel Zuna 

On 10/20/2010 11:42 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search
limits only when the whole ipaConfig entry isn't found.

I reworked the patch, so that defaults are always returned by
get_ipa_config, but I left changes from the previous version, because it
doesn't hurt anything and is a (very little) bit safer.

New version attached.

Pavel


I see your point. One can do 'ipa config-mod --searchtimelimit=` and
blam, everything stops working. This still seems like a bit of a
cover-up fix for that. Should we prevent these attributes from being
removed?


We could do that, but it's always possible to delete the attribute using 
ldapmodify or some other tool.




rob


Pavel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-20 Thread Rob Crittenden 

Pavel Zuna wrote:

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search
limits only when the whole ipaConfig entry isn't found.

I reworked the patch, so that defaults are always returned by
get_ipa_config, but I left changes from the previous version, because it
doesn't hurt anything and is a (very little) bit safer.

New version attached.

Pavel


I see your point. One can do 'ipa config-mod --searchtimelimit=` and 
blam, everything stops working. This still seems like a bit of a 
cover-up fix for that. Should we prevent these attributes from being 
removed?


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-20 Thread Pavel Zuna 

On 10/14/2010 03:30 PM, Rob Crittenden wrote:

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for
time and search limits?

rob


Yes, because get_ipa_config will return defaults for time and search limits only 
when the whole ipaConfig entry isn't found.


I reworked the patch, so that defaults are always returned by get_ipa_config, 
but I left changes from the previous version, because it doesn't hurt anything 
and is a (very little) bit safer.


New version attached.

Pavel


pzuna-freeipa-0033-2-limitdefaults.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-14 Thread Jenny Galipeau 

I have noticed a change in behavior with this ...
BEFORE:
--sizelimit=0  returned 0 entries
now , it is returning all the entries ...  obviously 0 now assumes 
default ... what is the default ??

Thanks
Jenny


Adam Young wrote:

On 10/14/2010 09:25 AM, Pavel Zuna wrote:
There was no default value set even though we were using config.get 
and it was throwing exceptions if someone deleted one of the related 
config values.


Pavel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Jenny Galipeau 
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/ 


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-14 Thread Adam Young 

On 10/14/2010 09:25 AM, Pavel Zuna wrote:
There was no default value set even though we were using config.get 
and it was throwing exceptions if someone deleted one of the related 
config values.


Pavel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-14 Thread Rob Crittenden 

Pavel Zuna wrote:

There was no default value set even though we were using config.get and
it was throwing exceptions if someone deleted one of the related config
values.

Pavel


Is this needed since get_ipa_config() will always return something for 
time and search limits?


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add fail-safe defaults to time and size limits in ldap2 searches.

2010-10-14 Thread Pavel Zuna 
There was no default value set even though we were using config.get and it was 
throwing exceptions if someone deleted one of the related config values.


Pavel
>From 5dfda61f3995f4d5ae5813b7f70f2d2658a687f0 Mon Sep 17 00:00:00 2001
From: Pavel Zuna 
Date: Thu, 14 Oct 2010 10:54:24 -0400
Subject: [PATCH 2/2] Add fail-safe defaults to time and size limits in ldap2 searches.

---
 ipaserver/plugins/ldap2.py |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 096d3a3..1d18bbb 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -515,9 +515,9 @@ class ldap2(CrudBackend, Encoder):
 if time_limit is None or size_limit is None:
 (cdn, config) = self.get_ipa_config()
 if time_limit is None:
-time_limit = config.get('ipasearchtimelimit')[0]
+time_limit = config.get('ipasearchtimelimit', [-1])[0]
 if size_limit is None:
-size_limit = config.get('ipasearchrecordslimit')[0]
+size_limit = config.get('ipasearchrecordslimit', [0])[0]
 if not isinstance(size_limit, int):
 size_limit = int(size_limit)
 if not isinstance(time_limit, float):
-- 
1.7.1.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel