[Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend.

Jason Gerard DeRose jderose at redhat.com
Wed May 20 22:52:37 UTC 2009 

ack.  pushed to master.

On Tue, 2009-05-19 at 10:29 +0200, Pavel Zuna wrote:
> Jason Gerard DeRose wrote:
> > On Wed, 2009-05-13 at 14:04 -0400, Rob Crittenden wrote:
> >> Pavel Zuna wrote:
> >>> Rob Crittenden wrote:
> >>>> Pavel Zuna wrote:
> >>>>> Rob Crittenden wrote:
> >>>>>> Pavel Zuna wrote:
> >>>>>>> By the way, there's a little bug I discovered while testing this 
> >>>>>>> plugin. It affects the old group plugin as well. When trying to 
> >>>>>>> modify a group into a posixGroup, gidNumber doesn't get generated 
> >>>>>>> automatically resulting in a object violation LDAP error. Solution 
> >>>>>>> is to generate it ourselves, but I didn't know how it works, so I 
> >>>>>>> commented that part out for now. (/FIXME in vim)
> >>>>>>>
> >>>>>> This should be fixed in FDS 1.2. Can you update and give it a try?
> >>>>>>
> >>>>>> rob
> >>>>> Sure, just updated and you're right, it works.  :)
> >>>>> Updated patch attached.
> >>>>>
> >>>>> Pavel
> >>>> nack. This won't handle someone using group-mod to set a specific 
> >>>> gidnumber. The posixGroup objectclass won't be added.
> >>>>
> >>>> rob
> >>> Fixed patch attached.
> >>>
> >>> Pavel
> >> The basegroup2 part looks ok but nack on group2.
> > 
> > So is there an update on this yet, Pavel?  I was trying to review your
> > 0001-Fix-counting..., 0002-Add-houstgroup..., and 0003-Add-netgroup...
> > patches, but they depend on this patch here.
> 
> Attached, but camelCase is still there for now. I'm currently testing 
> the Encoder class with ldap2 and will post a patch soon that makes all 
> plugins2 use lowercase when referring to LDAP attributes.
> 
> >> I think we should stick with using lower-case attribute names as a rule 
> >> of thumb rather than camel case. In any case you test for the string 
> >> posixGroup is in the list of objectclasses, this test needs to be case 
> >> insensitive.
> >>
> >> I also wonder if we should be using ldap.get_entry(). Why use this over 
> >> group-show?
> >>
> >> I'm not sure if the logic around setting gidnumber is right. If you set 
> >> the gidnumber but aren't using the --posix flag it looks like it will 
> >> always append posixgroup to the list of objectclasses. I'm pretty sure 
> >> the LDAP server is going to reject the update. I suppose making a 
> >> list(set(objectclasses)) would work for de-duping.
> >>
> >> rob
> > 
> Pavel

More information about the Freeipa-devel mailing list