[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] things to be stored



Simo Sorce wrote:
On Fri, 2007-11-02 at 11:52 -0400, Rob Crittenden wrote:
I could care less how the configuration is stored in LDAP, either as a extensibleObject or with its own schema, but here is the stuff I need stored somewhere:

userSearchFields, a list of attributes e.g. uid,givenName,sn,telephoneNumber,ou,title

Do this need to be ordered? Or will a multivalued attribute suffices?

I don't think ordering matters. I'm just going to pass this to search_s().

searchTimeLimit, an integer, e.g. 2

customFields, a set of tuple of the form (label, attribute, required). All are strings. required is a boolean but will contain "true" or "false". This needs to be extensible as at some point we'll add a validator as well, and who knows what else, maybe things to limit field length, min/max size, etc.

The current hardcoded version, in python, looks like:

         schema = [
           { 'label': 'See Also',
             'field': 'seeAlso',
             'required': 'true', } ,
           { 'label': 'O O O',
             'field': 'o',
             'required': 'false', } ,
         ]

ok all these strings seem to have a well defined syntax, can you do it
with a multivalued attribute like?
IpaGuiCustomField: See Also$seeAlso$true
IpaGuiCustomField: My attribute$myAttr$false

Do they need to be ordered?
can $ be a valid value in a Label ?

I think we should assume that ordering matters here.

We can probably use whatever separate we want. I can URL-encode the individual components for safety. I can see someone putting a $ field though, perhaps "Salary $"?

Another thing we need to think about is how I'll fetch this from the server. Currently all requests to the server need to be authenticated but it would probably be better performance-wise to grab this at startup time. So should we allow unauthenticated requests to the XML-RPC interface? Currently the whole thing requires SSL and kerberos.

The server itslef accepts anonymous connections, so we have 2 options I
guess:
1) let's permit anonymous searches on the IPA GUI conf container
2) let's give turbogear a keytab (it can probably just use the apache
keytab anyway) to access this information.

We don't want any special sauce that only our web-gui can use. Every interface needs to be public if at all possible (so others can dump our GUI if they want and have the same capabilities).

And for a little more info.

If we have an unauthenticated URI it means I'll need to make another XML-RPC listener. Not a huge deal but it will be some work.

If this stuff is only read on start-up it means that web interface needs to be restarted when changes are made. Is it acceptable to simply retrieve this each time?

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]