Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
On 10/02/2012 05:46 PM, Martin Kosek wrote: On 10/02/2012 03:04 PM, Martin Kosek wrote: On 10/02/2012 12:19 PM, Petr Viktorin wrote: On 10/01/2012 05:28 PM, Martin Kosek wrote: From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, as services created in previous version do not have this objectclass (and attribute), they are not listed in service list produced by service-find. Treat the ipakrbprincipal as optional to avoid missing services in service-find command. Add flag to service-mod command which can fill ipakrbprincipalalias attribute when case-insensitive principal searches for a 2.x service are required. https://fedorahosted.org/freeipa/ticket/3106 This works, I'm getting all services now & the tests pass. - I am still pondering about a right way to fill ipakrbprincipalalias used in for IPA 3.0 case-insensitive searches, so far I implemented this command: ipa service-mod PRINCIPAL --update-principal-alias But I am thinking it may be a better approach to generalize it and do something like that: ipa service-mod PRINCIPAL --upgrade/--update This command would do a general update of service entry to an up-to-date 3.0 style, in this case it could do 2 things: * fill ipakrbprincipalalias * fill ipakrbauthzdata (based on default value in IPA config). I don't think you're generalizing enough; `service-mod --upgrade` isn't that different from `service-mod --update-principal-alias --update-authzdata`. Scripting this to happen for all services could be a nuisance, though. There should be a way to upgrade all services at once, and since we already have ipa-ldap-updater for it, it should run as part of that. I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong. I agree. I created an upgrade plugin which should update all services and fill ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and it worked fine. Martin There was a glitch in the loop repeating the update when LDAP limits are hit - thanks Petr Viktorin for noticing the issue. It is working now, I tried with 10 affected services and search limit set to 1 entry - and the loop executed 10 times as it was supposed to. I also disabled size/time limits for the search in the upgrade plugin. But it would also work if default IPA search limits (100 entries) are used, it should just make things faster. Martin With the limits removed, the loop is redundant. Please decide yourself if it would be better to remove it. ACK from me if you want to push it as is. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
Martin Kosek wrote: On 10/02/2012 03:04 PM, Martin Kosek wrote: On 10/02/2012 12:19 PM, Petr Viktorin wrote: On 10/01/2012 05:28 PM, Martin Kosek wrote: From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, as services created in previous version do not have this objectclass (and attribute), they are not listed in service list produced by service-find. Treat the ipakrbprincipal as optional to avoid missing services in service-find command. Add flag to service-mod command which can fill ipakrbprincipalalias attribute when case-insensitive principal searches for a 2.x service are required. https://fedorahosted.org/freeipa/ticket/3106 This works, I'm getting all services now & the tests pass. - I am still pondering about a right way to fill ipakrbprincipalalias used in for IPA 3.0 case-insensitive searches, so far I implemented this command: ipa service-mod PRINCIPAL --update-principal-alias But I am thinking it may be a better approach to generalize it and do something like that: ipa service-mod PRINCIPAL --upgrade/--update This command would do a general update of service entry to an up-to-date 3.0 style, in this case it could do 2 things: * fill ipakrbprincipalalias * fill ipakrbauthzdata (based on default value in IPA config). I don't think you're generalizing enough; `service-mod --upgrade` isn't that different from `service-mod --update-principal-alias --update-authzdata`. Scripting this to happen for all services could be a nuisance, though. There should be a way to upgrade all services at once, and since we already have ipa-ldap-updater for it, it should run as part of that. I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong. I agree. I created an upgrade plugin which should update all services and fill ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and it worked fine. Martin There was a glitch in the loop repeating the update when LDAP limits are hit - thanks Petr Viktorin for noticing the issue. It is working now, I tried with 10 affected services and search limit set to 1 entry - and the loop executed 10 times as it was supposed to. I also disabled size/time limits for the search in the upgrade plugin. But it would also work if default IPA search limits (100 entries) are used, it should just make things faster. Martin ACK, pushed to master and ipa-3-0. I tested with > 2500 services. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
On 10/02/2012 03:04 PM, Martin Kosek wrote: > On 10/02/2012 12:19 PM, Petr Viktorin wrote: >> On 10/01/2012 05:28 PM, Martin Kosek wrote: From IPA 3.0, services have by default ipakrbprincipal objectclass which >>> allows ipakrbprincipalalias attribute used for case-insensitive principal >>> searches. However, as services created in previous version do not have >>> this objectclass (and attribute), they are not listed in service list >>> produced by service-find. >>> >>> Treat the ipakrbprincipal as optional to avoid missing services in >>> service-find command. Add flag to service-mod command which can fill >>> ipakrbprincipalalias attribute when case-insensitive principal searches >>> for a 2.x service are required. >>> >>> https://fedorahosted.org/freeipa/ticket/3106 >> >> This works, I'm getting all services now & the tests pass. >> >>> >>> - >>> >>> I am still pondering about a right way to fill ipakrbprincipalalias used in >>> for >>> IPA 3.0 case-insensitive searches, so far I implemented this command: >>> >>> ipa service-mod PRINCIPAL --update-principal-alias >>> >>> But I am thinking it may be a better approach to generalize it and do >>> something >>> like that: >>> >>> ipa service-mod PRINCIPAL --upgrade/--update >>> >>> This command would do a general update of service entry to an up-to-date 3.0 >>> style, in this case it could do 2 things: >>> * fill ipakrbprincipalalias >>> * fill ipakrbauthzdata (based on default value in IPA config). >> >> I don't think you're generalizing enough; `service-mod --upgrade` isn't that >> different from `service-mod --update-principal-alias --update-authzdata`. >> Scripting this to happen for all services could be a nuisance, though. There >> should be a way to upgrade all services at once, and since we already have >> ipa-ldap-updater for it, it should run as part of that. >> >> I think we should keep ipakrbprincipal optional, in case the upgrade goes >> wrong. >> > > I agree. I created an upgrade plugin which should update all services and fill > ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade > and > it worked fine. > > Martin > There was a glitch in the loop repeating the update when LDAP limits are hit - thanks Petr Viktorin for noticing the issue. It is working now, I tried with 10 affected services and search limit set to 1 entry - and the loop executed 10 times as it was supposed to. I also disabled size/time limits for the search in the upgrade plugin. But it would also work if default IPA search limits (100 entries) are used, it should just make things faster. Martin From 1a4bd467bda9eb668aead2514b431c6b949c4a5d Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 1 Oct 2012 16:49:34 +0200 Subject: [PATCH] Fill ipakrbprincipalalias on upgrades From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106 --- ipalib/plugins/service.py| 7 +- ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_services.py | 95 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 ipaserver/install/plugins/update_services.py diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index a7201f525941023fb5caa8610836156a6df79bab..551990d7cabc4cfa331a019edb721bdfc99a6b2d 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -218,8 +218,9 @@ class service(LDAPObject): object_name_plural = _('services') object_class = [ 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', -'ipaservice', 'pkiuser', 'ipakrbprincipal' +'ipaservice', 'pkiuser' ] +possible_objectclasses = ['ipakrbprincipal'] search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'ipakrbauthzdata',] @@ -311,6 +312,10 @@ class service_add(LDAPCreate): # schema entry_attrs['ipakrbprincipalalias'] = keys[-1] +# Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in +# in a list of default objectclasses, add it manually +entry_attrs['objectclass'].append('ipakrbprincipal') + return dn api.register(service_add) diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 9670273c8cd14c2ec98da9d228664b06289483a1..d29103a90afdffa74d768b3438acb9733b825d53 100644 --- a/ipaserver/inst
Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
On 10/02/2012 12:19 PM, Petr Viktorin wrote: > On 10/01/2012 05:28 PM, Martin Kosek wrote: >>> From IPA 3.0, services have by default ipakrbprincipal objectclass which >> allows ipakrbprincipalalias attribute used for case-insensitive principal >> searches. However, as services created in previous version do not have >> this objectclass (and attribute), they are not listed in service list >> produced by service-find. >> >> Treat the ipakrbprincipal as optional to avoid missing services in >> service-find command. Add flag to service-mod command which can fill >> ipakrbprincipalalias attribute when case-insensitive principal searches >> for a 2.x service are required. >> >> https://fedorahosted.org/freeipa/ticket/3106 > > This works, I'm getting all services now & the tests pass. > >> >> - >> >> I am still pondering about a right way to fill ipakrbprincipalalias used in >> for >> IPA 3.0 case-insensitive searches, so far I implemented this command: >> >> ipa service-mod PRINCIPAL --update-principal-alias >> >> But I am thinking it may be a better approach to generalize it and do >> something >> like that: >> >> ipa service-mod PRINCIPAL --upgrade/--update >> >> This command would do a general update of service entry to an up-to-date 3.0 >> style, in this case it could do 2 things: >> * fill ipakrbprincipalalias >> * fill ipakrbauthzdata (based on default value in IPA config). > > I don't think you're generalizing enough; `service-mod --upgrade` isn't that > different from `service-mod --update-principal-alias --update-authzdata`. > Scripting this to happen for all services could be a nuisance, though. There > should be a way to upgrade all services at once, and since we already have > ipa-ldap-updater for it, it should run as part of that. > > I think we should keep ipakrbprincipal optional, in case the upgrade goes > wrong. > I agree. I created an upgrade plugin which should update all services and fill ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and it worked fine. Martin From fc7715885ac643c37c8813b4d05473d1db91ea52 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 1 Oct 2012 16:49:34 +0200 Subject: [PATCH] Fill ipakrbprincipalalias on upgrades From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106 --- ipalib/plugins/service.py| 7 ++- ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_services.py | 94 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 ipaserver/install/plugins/update_services.py diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index a7201f525941023fb5caa8610836156a6df79bab..551990d7cabc4cfa331a019edb721bdfc99a6b2d 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -218,8 +218,9 @@ class service(LDAPObject): object_name_plural = _('services') object_class = [ 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', -'ipaservice', 'pkiuser', 'ipakrbprincipal' +'ipaservice', 'pkiuser' ] +possible_objectclasses = ['ipakrbprincipal'] search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'ipakrbauthzdata',] @@ -311,6 +312,10 @@ class service_add(LDAPCreate): # schema entry_attrs['ipakrbprincipalalias'] = keys[-1] +# Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in +# in a list of default objectclasses, add it manually +entry_attrs['objectclass'].append('ipakrbprincipal') + return dn api.register(service_add) diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 9670273c8cd14c2ec98da9d228664b06289483a1..d29103a90afdffa74d768b3438acb9733b825d53 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -8,6 +8,7 @@ app_PYTHON = \ rename_managed.py \ dns.py \ updateclient.py \ + update_services.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_services.py b/ipaserver/install/plugins/update_services.py new file mode 100644 index ..6f9e8cb0ed9670db8796bece13d73539acb64190 --- /dev/null +++ b/ipaserver/install/plugins/update_services.py @@ -0,0 +1,94 @@ +# Authors: +# Martin Kosek +# +# Copyright (C) 2
Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
On 10/01/2012 05:28 PM, Martin Kosek wrote: From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, as services created in previous version do not have this objectclass (and attribute), they are not listed in service list produced by service-find. Treat the ipakrbprincipal as optional to avoid missing services in service-find command. Add flag to service-mod command which can fill ipakrbprincipalalias attribute when case-insensitive principal searches for a 2.x service are required. https://fedorahosted.org/freeipa/ticket/3106 This works, I'm getting all services now & the tests pass. - I am still pondering about a right way to fill ipakrbprincipalalias used in for IPA 3.0 case-insensitive searches, so far I implemented this command: ipa service-mod PRINCIPAL --update-principal-alias But I am thinking it may be a better approach to generalize it and do something like that: ipa service-mod PRINCIPAL --upgrade/--update > This command would do a general update of service entry to an up-to-date 3.0 style, in this case it could do 2 things: * fill ipakrbprincipalalias * fill ipakrbauthzdata (based on default value in IPA config). I don't think you're generalizing enough; `service-mod --upgrade` isn't that different from `service-mod --update-principal-alias --update-authzdata`. Scripting this to happen for all services could be a nuisance, though. There should be a way to upgrade all services at once, and since we already have ipa-ldap-updater for it, it should run as part of that. I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel