[Freeipa-devel] [PATCH] 19 Cleanup for netgroup search

Thu Feb 17 18:53:22 UTC 2011

JR Aquino <JR.Aquino at citrix.com> wrote:
> On 2/17/11 3:23 AM, "Jan Zelený" <jzeleny at redhat.com> wrote:
> >JR Aquino <JR.Aquino at citrix.com> wrote:
> >> This patch fixes the netgroup plugin's behavior of adding duplicate
> >>
> >>entries
> >>
> >> when the managed entry plugin creates a netgroup with a mepManagedEntry
> >> This problem is documented in ticket:
> >> https://fedorahosted.org/freeipa/ticket/963
> >> 
> >> As noted by Endi for issue #3 in the History:
> >> "3. Just out of curiosity, I tried adding a netgroup with the same name
> >>
> >>as
> >>
> >> the hostgroup. I expected it to conflict with the managed netgroup, but
> >>
> >>it
> >>
> >> actually worked. Searching the directory will return 2 netgroups with
> >>
> >>the
> >>
> >> same name:"
> >>
> >> Historically the netgroup plugin had inappropriately defined:
> >>rdn_attribute
> >>
> >> = 'ipauniqueid' This caused the ability of duplication with the creation
> >> of native netgroups using the ipaUniqueId as the DN and as the Managed
> >> Entry netgroups utilizing the cn as the DN.
> >> 
> >> Patch includes adjustments for the netgroup plugin and corresponding
> >> test_netgroup_plugin
> >> 
> >> Please verify that the items requested in #963 are now complete and
> >>
> >>please
> >>
> >> confirm that the corresponding tests all pass.
> >
> >One test fails:
> >FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
> >u'netgroup2'
> >from netgroup u'netgroup1'
> >
> >Command ipa host-show still shows:
> >Member of netgroups: testhostgroup
> >
> >Also a little bit of nitpicking, I think the changed code in chunk 2
> >would
> >better look something like this:
> >
> >search_kw = {}
> >search_kw['objectclass'] = ['mepManagedEntry']
> >
> >if not options['private']:
> >    local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
> >
> >else:
> >    local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
> >
> >filter = ldap.combine_filters((local_filter, filter),
> >rules=ldap.MATCH_ALL)
> >
> >--
> >Jan
> 
> It was determined that the ipauniqueid is required for the DN on these
> objects.
> It's an ipaAssociation which uses it as the rdn, if we change the problems
> cascade
> 
> This patch has now changed to reflect the optimization in the netgroup
> search instead.
> It provides a cleaner method of performing a netgroup search for native
> netgroups and allows for the --private search to only display the
> mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
> would return ALL netgroups.
> 
> This means there is no need to modify test_netgroup_plugin.
> 
> Please verify that the optimization / bugfix passes the standard
> test_netgroup_plugin.

Ack

Jan