Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-17 Thread Petr Viktorin

On 04/16/2014 03:58 PM, Martin Kosek wrote:

On 04/16/2014 03:52 PM, Simo Sorce wrote:

On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:

On 11.4.2014 13:31, Petr Viktorin wrote:

One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap
tries to add the attribute to LDAP and fails with an objectclass violation.

Do not ask for memberindirect when retrieving the entry.



CCing Honza since he designs ipaldap. Virtual attributes are often
helpful, and in any case IPA uses them a lot and having to filter them
out every time is error-prone.
Maybe we should add support for them directly in ipaldap -- e.g. an
attribute set by `entry.virtual[attr_name] = [x]` would be visible in
entry[attr_name] but would not be synced back to LDAP?



I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff
in the future. Your suggestion works in sort of opposite direction, so I
can't say I like it.

Currently we use LDAPEntry in frontend code directly, but I think that's
wrong. There should be a frontend-specific class for this (make
ipalib.frontend.Object instantiable?) and LDAPEntry should be used
(almost) only in backend code.


+1

Simo.


We are then stuck with Petr's original patch 518 - ACK from me.

Martin



Thanks, pushed to master: 81b0e7466d739a61b16c0e79c660a9f85d073c8c

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-16 Thread Jan Cholasta

On 11.4.2014 13:31, Petr Viktorin wrote:

One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap
tries to add the attribute to LDAP and fails with an objectclass violation.

Do not ask for memberindirect when retrieving the entry.



CCing Honza since he designs ipaldap. Virtual attributes are often
helpful, and in any case IPA uses them a lot and having to filter them
out every time is error-prone.
Maybe we should add support for them directly in ipaldap -- e.g. an
attribute set by `entry.virtual[attr_name] = [x]` would be visible in
entry[attr_name] but would not be synced back to LDAP?



I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff 
in the future. Your suggestion works in sort of opposite direction, so I 
can't say I like it.


Currently we use LDAPEntry in frontend code directly, but I think that's 
wrong. There should be a frontend-specific class for this (make 
ipalib.frontend.Object instantiable?) and LDAPEntry should be used 
(almost) only in backend code.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-16 Thread Petr Viktorin

On 04/16/2014 10:35 AM, Jan Cholasta wrote:

On 11.4.2014 13:31, Petr Viktorin wrote:

One of the default_attributes of permission is memberofindirect, a
virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect, ipaldap
tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.



CCing Honza since he designs ipaldap. Virtual attributes are often
helpful, and in any case IPA uses them a lot and having to filter them
out every time is error-prone.
Maybe we should add support for them directly in ipaldap -- e.g. an
attribute set by `entry.virtual[attr_name] = [x]` would be visible in
entry[attr_name] but would not be synced back to LDAP?



I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff
in the future. Your suggestion works in sort of opposite direction, so I
can't say I like it.

Currently we use LDAPEntry in frontend code directly, but I think that's
wrong. There should be a frontend-specific class for this (make
ipalib.frontend.Object instantiable?) and LDAPEntry should be used
(almost) only in backend code.


Right, that's the way to go long-term. Virtual attributes could be a 
stop-gap solution before we get there, since to remove this from ldap2 
we'd need to change all the plugins that use it.


Thinking about it more, it probably would be too much work for a workaround.

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-16 Thread Simo Sorce
On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
 On 11.4.2014 13:31, Petr Viktorin wrote:
  One of the default_attributes of permission is memberofindirect, a
  virtual attribute manufactured by ldap2, which is set when a permission
  is part of a role.
  When update_entry is called on an entry with memberofindirect, ipaldap
  tries to add the attribute to LDAP and fails with an objectclass violation.
 
  Do not ask for memberindirect when retrieving the entry.
 
 
 
  CCing Honza since he designs ipaldap. Virtual attributes are often
  helpful, and in any case IPA uses them a lot and having to filter them
  out every time is error-prone.
  Maybe we should add support for them directly in ipaldap -- e.g. an
  attribute set by `entry.virtual[attr_name] = [x]` would be visible in
  entry[attr_name] but would not be synced back to LDAP?
 
 
 I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff 
 in the future. Your suggestion works in sort of opposite direction, so I 
 can't say I like it.
 
 Currently we use LDAPEntry in frontend code directly, but I think that's 
 wrong. There should be a frontend-specific class for this (make 
 ipalib.frontend.Object instantiable?) and LDAPEntry should be used 
 (almost) only in backend code.

+1

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] Do not ask for memberindirect when updating managed permissions

2014-04-16 Thread Martin Kosek
On 04/16/2014 03:52 PM, Simo Sorce wrote:
 On Wed, 2014-04-16 at 10:35 +0200, Jan Cholasta wrote:
 On 11.4.2014 13:31, Petr Viktorin wrote:
 One of the default_attributes of permission is memberofindirect, a
 virtual attribute manufactured by ldap2, which is set when a permission
 is part of a role.
 When update_entry is called on an entry with memberofindirect, ipaldap
 tries to add the attribute to LDAP and fails with an objectclass violation.

 Do not ask for memberindirect when retrieving the entry.



 CCing Honza since he designs ipaldap. Virtual attributes are often
 helpful, and in any case IPA uses them a lot and having to filter them
 out every time is error-prone.
 Maybe we should add support for them directly in ipaldap -- e.g. an
 attribute set by `entry.virtual[attr_name] = [x]` would be visible in
 entry[attr_name] but would not be synced back to LDAP?


 I would prefer if we stopped abusing LDAPEntry to handle non-LDAP stuff 
 in the future. Your suggestion works in sort of opposite direction, so I 
 can't say I like it.

 Currently we use LDAPEntry in frontend code directly, but I think that's 
 wrong. There should be a frontend-specific class for this (make 
 ipalib.frontend.Object instantiable?) and LDAPEntry should be used 
 (almost) only in backend code.
 
 +1
 
 Simo.

We are then stuck with Petr's original patch 518 - ACK from me.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel