[Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry

JR Aquino JR.Aquino at citrix.com
Thu Apr 21 23:28:03 UTC 2011 

On Apr 21, 2011, at 4:03 PM, "Simo Sorce" <ssorce at redhat.com<mailto:ssorce at redhat.com>> wrote:

On Thu, 2011-04-21 at 15:30 -0400, Dmitri Pal wrote:
On 04/21/2011 03:17 PM, JR Aquino wrote:
This patch address ticket:
* <https://fedorahosted.org/freeipa/ticket/1181> https://fedorahosted.org/freeipa/ticket/1181

This patch provides:
* ipa-managed-entries tool which can enable/disable any of the managed entry plugins without the need of separate tools.
   -When run without any arguments, the tool will display a list of available plugins detected inside of /usr/share/ipa (this directory can be overridden with the --dir flag)
* Man Page documenting the tool usage.
* The removal of install/tools/ipa-host-net-manage and install/tools/man/ipa-host-net-manage.1
* Modification to ldap2.py: Added method for verifying upg is disabled by objectfilter: objectclass=disabled.
   The current code assumes that the user private group managed plugin is disabled, if the managed plugin entry is not present.
   Due to bug https://bugzilla.redhat.com/show_bug.cgi?id=660399, the running system will prohibit you from removing a Managed Entry plugin.

NOTE:
   As I was writing this tool, I noticed that in addition to Managed Entry tools, we also seem to have Schema Compatibility management tools.
   I had considered rolling support for those plugins as well, but after further inspection, it appears that there is hierarchical way to determine our current 'Compatibility Plugins' via looking at the .uldif files.
   The method employed by the managed entry tool checks to see if the .ldif file contains a modification which adds an object to the container: cn=Managed Entries,cn=plugins,cn=config.
   If there is interest in it, we could consolidate ipa-compat-manage and ipa-nis-manage by deciding on a default Container for Compat plugins to be located in such as: "cn=Schema Compatibility,cn=plugins,cn=config"
   This would potentially give us 1 tool: ipa-plugin-manage that could handle the enabling / disabling of Compat and Managed Entry Plugins...


Please log an enhancement ticket. I think it will be deferred but
having it in the backlog would be good.

Please note that the schema compatibility plugin enabling/disabling
should behave differently from the managed entries emabling/disabling.

The schema compat plugins configurations are per server, so that you can
decide which servers show it and which one doesn't (you may have many
masters and only a few allocated to serve legacy machines that need the
compat tree). This also means that you have to go to each server to
enable/disable the compat trees. This should be made abundantly clear in
the documentation of the respective tools.


The managed entries stuff instead should be global, and shouldn't touch
entries under cn=config (as they are local). If it does please let me
know.
Hmmm
Both Private Groups and the Hostgroup -> Netgroup Managed Entries create objects in the container:
cn=Managed Entries,cn=plugins,cn=config

Each Ldif contains 2 ldap objects. One that lives in the main $SUFFIX, and one in the cn=config

How will these be treated by replication and the multi masters?


Simo.

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel at redhat.com<mailto:Freeipa-devel at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list