[Freeipa-devel] [PATCH] 25 Create Tool for Enabling Disabling Managed Entry
Martin Kosek
mkosek at redhat.com
Thu Sep 15 08:47:50 UTC 2011
On Thu, 2011-09-15 at 00:47 +0000, JR Aquino wrote:
> On Jul 22, 2011, at 7:05 AM, Martin Kosek wrote:
> > 5) I was thinking if there is a better solution to enabling/disabling of
> > the plugin. Likes setting something like "managedEntryEnabled" attribute
> > to on/off as we do with compat plugin. Current concept with disabling
> > the definition by damaging the originFilter and then restoring it from
> > an LDIF seems a bit awkward to me.
>
> This has been completely changed:
> Instead of looking to ldif files, an ldap look up is now performed to dynamically list the available managed entries.
Now we are talking :-) I like the new approach.
I have reviewed your patch, basic functionality looks good. But I still
have few (nitpicking) comments:
1) There are parts from the previous file that are no longer needed
since you switched to different approach:
+import os
+ from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
+ import StringIO
+ import ldif
+except BadSyntax, e:
+ print "There is a syntax error in this update file:"
+ print " %s" % e
+ sys.exit(1)
2) I saw few whitespace errors on following lines of the patch: 419, 433
and 453
3) Output of the --list method is confusing:
# ipa-managed-entries --list
Directory Manager password:
Available Managed Entry Plugins:
cn=upg definition,cn=definitions,cn=managed
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn=ngp definition,cn=definitions,cn=managed
entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
You must specify a managed entry definition <<<
# echo $?
1 <<<
a) I shouldn't be asked to specify a managed entry definition for --list
b) The listing was successful, so we shouldn't return error code
4) Return code for disabling an already disabled entry should be 2
(according to man pages):
# ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' disable
Directory Manager password:
Plugin already disabled
# echo $?
0
5) Strange is, that enabling a disabled plugin gives me return code 2:
# ipa-managed-entries -e 'cn=upg definition,cn=definitions,cn=managed entries,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com' enable
Directory Manager password:
Enabling Plugin
# echo $?
2
Return codes for these actions should fit the man pages.
6) I would improve working with LDAP filters, current solution is error
prone. Try disabling&enabling NGP Defition, we end up with this
originFilter:
originfilter: (&(objectclass=ipahostgroup))
I think the cleanest solution would be to use ldap.make_filter and
ldap.combine_filters functions to play with these filter. You can
inspire yourself in this example I wrote for DNS plugin:
rev_zone_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE, exact=False,
trailing_wildcard=False)
filter = ldap.combine_filters((rev_zone_filter, filter), rules=ldap.MATCH_ALL)
7) Entering Directory Manager every time may be a bit tedious. Could we
use current Kerberos credentials and fall-back to asking Directory
Manager password if it doesn't work? Its already done this way in
ipa-replica-manage for example.
We could fix this, however, as an enhancement in another patch.
8) Man page - please use the new united FreeIPA man page header. Instead
of
+.TH "ipa-managed-entries" "1" "Sept 15 2011" "freeipa" ""
use:
+.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual
Pages"
9) Man page - comma is missing for --list option:
+\fB\-l\-\-list\fR
10) install/po/Makefile.in should be updated to: there is still
reference to ipa-host-net-manage and ipa-managed-entries reference is
missing
Martin
More information about the Freeipa-devel
mailing list