[Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend.

Jason Gerard DeRose jderose at redhat.com
Thu May 14 19:59:32 UTC 2009 

On Wed, 2009-05-13 at 20:56 +0200, Pavel Zuna wrote:
> Rob Crittenden wrote:
> > Pavel Zuna wrote:
> >> Rob Crittenden wrote:
> >>> Pavel Zuna wrote:
> >>>> Rob Crittenden wrote:
> >>>>> Pavel Zuna wrote:
> >>>>>> By the way, there's a little bug I discovered while testing this 
> >>>>>> plugin. It affects the old group plugin as well. When trying to 
> >>>>>> modify a group into a posixGroup, gidNumber doesn't get generated 
> >>>>>> automatically resulting in a object violation LDAP error. Solution 
> >>>>>> is to generate it ourselves, but I didn't know how it works, so I 
> >>>>>> commented that part out for now. (/FIXME in vim)
> >>>>>>
> >>>>>
> >>>>> This should be fixed in FDS 1.2. Can you update and give it a try?
> >>>>>
> >>>>> rob
> >>>> Sure, just updated and you're right, it works.  :)
> >>>> Updated patch attached.
> >>>>
> >>>> Pavel
> >>>
> >>> nack. This won't handle someone using group-mod to set a specific 
> >>> gidnumber. The posixGroup objectclass won't be added.
> >>>
> >>> rob
> >> Fixed patch attached.
> >>
> >> Pavel
> > 
> > The basegroup2 part looks ok but nack on group2.
> > 
> > I think we should stick with using lower-case attribute names as a rule 
> > of thumb rather than camel case. In any case you test for the string 
> > posixGroup is in the list of objectclasses, this test needs to be case 
> > insensitive.
> When no attributes to retrieve are specified, python-ldap retrieves them all in 
> the original form - camel case. If we specify them, then it returns them in the 
> same form as we requested them. The new LDAP backend doesn't use CIDicts 
> anymore, but only the normal python dict type, so everything is case sensitive. 
> Of course I can make it return attribute names always as lowercase if that's 
> what we want.

+1.  I personally think this is the best approach.

> > I also wonder if we should be using ldap.get_entry(). Why use this over 
> > group-show?
> It's faster, because we call get_entry directly and because we can request 
> objectClass attribute only. Why invoke an IPA command instead of a making a 
> direct call?
> 
> > I'm not sure if the logic around setting gidnumber is right. If you set 
> > the gidnumber but aren't using the --posix flag it looks like it will 
> > always append posixgroup to the list of objectclasses. I'm pretty sure 
> > the LDAP server is going to reject the update. I suppose making a 
> > list(set(objectclasses)) would work for de-duping.
> You're right, it's broken. I'll fix it.
> 
> Pavel
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list