On 09/15/2015 04:58 AM, Jan Cholasta wrote:
On 15.9.2015 10:23, Tomas Babej wrote:
Hi,
from DS 1.3.3, the memberOf and referential integrity plugins have been
converted to backend transaction plugins, which means that failures in
these plugins will propagate and cause abort of the operation that
triggered them. [1]
I.e. in case of memberOf plugin, if a operation triggered an addition of
memberOf attribute, and that addition failed, the operation itself did
succeed in spite of this failure. This is no longer the case.
IMO the new transacted behavior is correct - the original operation and
all of the triggered operations should succeed or fail together.
We have been already hit by this issue in winsync agreement setup:
https://bugzilla.redhat.com/show_bug.cgi?id=1262315
However, there is little special about this case and there might be
multiple such entries in IPA which are added as group members,
but do not contain an objectclass which allows memberOf attribute.
So we need to step back and think - are there any other entries where
this change of behaviour will hit us?
As far as ipalib is concerned, these are the objects which may have
the memberOf attribute (with object class providing it in parentheses):
group (netstedGroup)
hbacsvc (ipaHBACService)
host (ipaHost)
hostgroup (netstedGroup)
netgroup (ipaNISNetgroup)
privilege (nestedGroup)
role (nestedGroup)
service (ipaService)
sudocmd (NONE)
user (inetUser)
so memberOf needs to be added to ipaSudoCmd.
The config plugin lists memberOf as an operational attribute, which I
guess is no longer the case?
It should never have been an operational attribute. Perhaps this was a
"hack" to workaround the fact that there were objects/objectclasses
missing memberOf?
Also, memberOf is excluded from replication in
ipaserver/install/replication.py.
By design - all servers are expected to have the same memberOf plugin
configuration, and add memberOf locally.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code