Pavel Zůna wrote:
Hi,
I didn't want to quote the already over-quoted e-mail about DNs from
Rich, so I'm "starting a new thread". :)
Anyway, if I understand correctly, we should stop using quoted strings
in DNs and use escapes instead, so:
This: cn="dc=example,dc=com",dc=example,dc=com
Becomes this: cn=dc\=example\,dc\=com,dc=example,dc=com
ldap2 was designed to produces DNs like this, but we still use the old
LDAPv2 style in a lot of places, so we made it possible to disable DN
normalization and stopped escaping characters in quoted attribute
values. This introduced the recent problems with python-ldap functions
blowing up in our faces, when a plugin author didn't check his DNs
manually.
With your approval, I would like to make sure we switch to the new
LDAPv3 style DNs everywhere, because:
1) it's going to prevent future problems if strict DN syntax checking is
turned on (Rich was talking about this)
2) we'll be able to use ldap2 methods to build DNs everywhere,
preventing python-ldap calls from blowing up
3) we'll be able to remove the ability to disable DN normalization as it
won't be needed anymore, thus simplifying our LDAP API
When this is done, we should encourage plugin authors to use our
framework to build DNs instead of doing it manually, because it's
fail-safe and will work even if the location where the entries are
stored changes.
Example: building DNs for CoS entries of password policies:
group = 'some_group_name'
container_cos = 'cn=cosTemplates,%s' % api.env.container_accounts
group_dn = api.Object.group.get_dn(group)
cos_dn = ldap2.make_dn_from_attr(
'cn', group_dn, container_costemplates
)
Yes go ahead, we need to do this to support the upcoming strict
enforcement in 389-ds.
Note that you may still need to retain the ability to skip the
normalizer. The KDC ldap plugin is extremely picky about DN format.
You'll know quickly enough if things are working by creating some group
password policy and see if it is enforced.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel