[Freeipa-devel] get_entry_by_dn() in client requires prior search
Rob Crittenden
rcritten at redhat.com
Thu Nov 15 16:44:01 UTC 2007
John Dennis wrote:
> get_entry_by_dn() cannot be called from the client side unless you've
> previously done a search that returns an Entity with the dn in it.
>
> But why have to do a search first if you already know or can compute the
> dn, why not just call get_entry_by_dn()?
>
> The reason you can't call get_entry_by_dn() from a client is you don't
> know the suffix.
>
> How about if IPAServer.get_entry_by_dn() checked for the suffix in the
> dn, if it were missing it would added it for you. Anybody see a problem
> with that?
Just the baseDN or some other part of the tree? It still might end up
failing as we don't advertise that users are in cn=accounts and groups
in cn=groups.
Perhaps we need a get_entry_by_attr(value, attr) which does a search for
'attr=value' and returns whatever is found.
> This would also reduce the need to write a lot of get_entry_by_XXX()
> functions because in many cases the caller of that search knows a prioi
> what the dn would be, just not the suffix.
>
> BTW, we could add an rpc function to return the suffix in order to build
> the dn, but that would introduce an unnecessary round trip and negating
> the advantage.
Yup, though that is probably computable based on the domain since it is
always dc=domain,dc=foo.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071115/d2f21b99/attachment.bin>
More information about the Freeipa-devel
mailing list