[Freeipa-devel] [PATCH] 272-273 Add service membership to host objects
Martin Kosek
mkosek at redhat.com
Wed Jun 13 08:15:16 UTC 2012
On Mon, 2012-06-11 at 14:37 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2012-06-06 at 09:11 +0200, Petr Vobornik wrote:
> >> On 06/06/2012 08:01 AM, Martin Kosek wrote:
> >>> On Tue, 2012-06-05 at 17:35 -0400, Rob Crittenden wrote:
> >>>> Martin Kosek wrote:
> >>>>> This set of patches
> >>>>> 1) Adds a support for uni-directional remote membership to baseldap
> >>>>> plugin (like service->host membership in service managedby attribute) -
> >>>>> patch 272
> >>>>> 2) Adds a support for service->host membership to host plugin using the
> >>>>> new interface - patch 273
> >>>>>
> >>>>> Martin
> >>>>
> >>>> Have you tried this in the UI? Are these new relationships already handled?
> >>>>
> >>>> rob
> >>>
> >>> I just checked that I didn't break anything in the host page. But with
> >>> this patch, we could add a tab with a list of services for a selected
> >>> host. I will check with Petr if the information we provide are enough.
> >>>
> >>> Martin
> >>>
> >>
> >> Provided information is sufficient for implementation of UI part.
> >>
> >
> > Thanks Petr, I created a ticket for Web UI to implement this new
> > relationship:
> > https://fedorahosted.org/freeipa/ticket/2812
> >
> > Martin
> >
>
> This is displaying the DN of the service which is case-insensitive, so
> for example the HTTP principal shows as : http/ipa.example.com. Perhaps
> take the RDN and pull that attribute specifically?
>
> rob
Yes, this is caused by our (member) DN normalizing which is a more
general issue than this patch (I would not hold it because of that).
Look for example at roles, we also put all privileges member DNs to
lower case:
# ipa role-show helpdesk
Role name: helpdesk
Description: Helpdesk
> Privileges: modify users and reset passwords, modify group membership
DNs are normalized as well:
# ipa role-show helpdesk --all --raw
dn:
cn=helpdesk,cn=roles,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
cn: helpdesk
description: Helpdesk
memberof: cn=modify users and reset
passwords,cn=privileges,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
...
# ipa privilege-show "modify users and reset passwords"
Privilege name: Modify Users and Reset passwords <<< not lowercase
Bottomline is that I would not do any extra processing just for
"remote_attrs" (which would make it inconsistent with the rest). This
needs to be solved on a more global level.
I see there are at least these two tickets relevant to this issue:
#2620 renaming of objects is case insensitive
#2482 Sudo commands are case-insensitive
Martin
More information about the Freeipa-devel
mailing list