[Freeipa-devel] [PATCHES] 0016-17 Fixes for{add, set, del}attr with managed attributes
Rob Crittenden
rcritten at redhat.com
Wed Feb 29 14:50:23 UTC 2012
Petr Viktorin wrote:
> On 02/27/2012 11:03 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> Patch 16 defers validation & conversion until after {add,del,set}attr is
>>> processed, so that we don't search for an integer in a list of strings
>>> (this caused ticket #2405), and so that the end result of these
>>> operations is validated (#2407).
>>>
>>>
>>> Patch 17 makes these options honor params marked no_create and
>>> no_update.
>>>
>>>
>>> https://fedorahosted.org/freeipa/ticket/2405
>>> https://fedorahosted.org/freeipa/ticket/2407
>>> https://fedorahosted.org/freeipa/ticket/2408
>>
>> NACK on Patch 17 which breaks patch 16.
>
> How is patch 16 broken? It works for me.
My point is they rely on one another, IMHO, so without 17 the reported
problem still exists.
>
>> *attr is specifically made to be powerful. We don't want to arbitrarily
>> block updating certain values.
>
> Noted
>
>> Not having patch 17 means that the problem reported in 2408 still
>> occurs. It should probably check both the schema and the param to
>> determine if something can have multiple values and reject that way.
>
> I see the problem now: the certificate subject base is defined as a
> multi-value attribute in the LDAP schema. If it's changed to
> single-value the existing validation should catch it.
>
> Also, most of the config attributes should probably be required in the
> schema. Am I right?
>
> I'm a newbie here; what do I need to do when changing the schema? Is
> there a patch that does something similar I could use as an example?
>
The framework should be able to impose its own single-value will as
well. If a Param is designated as single-value the *attr should honor it.
Updating schema is a bit of a nasty business right now. See
10-selinuxusermap.update for an example.
rob
More information about the Freeipa-devel
mailing list