[Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional

Wed Oct 3 12:41:30 UTC 2012

Martin Kosek wrote:
> On 10/02/2012 03:04 PM, Martin Kosek wrote:
>> On 10/02/2012 12:19 PM, Petr Viktorin wrote:
>>> On 10/01/2012 05:28 PM, Martin Kosek wrote:
>>>>>  From IPA 3.0, services have by default ipakrbprincipal objectclass which
>>>> allows ipakrbprincipalalias attribute used for case-insensitive principal
>>>> searches. However, as services created in previous version do not have
>>>> this objectclass (and attribute), they are not listed in service list
>>>> produced by service-find.
>>>>
>>>> Treat the ipakrbprincipal as optional to avoid missing services in
>>>> service-find command. Add flag to service-mod command which can fill
>>>> ipakrbprincipalalias attribute when case-insensitive principal searches
>>>> for a 2.x service are required.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3106
>>>
>>> This works, I'm getting all services now & the tests pass.
>>>
>>>>
>>>> -----
>>>>
>>>> I am still pondering about a right way to fill ipakrbprincipalalias used in for
>>>> IPA 3.0 case-insensitive searches, so far I implemented this command:
>>>>
>>>> ipa service-mod PRINCIPAL --update-principal-alias
>>>>
>>>> But I am thinking it may be a better approach to generalize it and do something
>>>> like that:
>>>>
>>>> ipa service-mod PRINCIPAL --upgrade/--update
>>>>
>>>> This command would do a general update of service entry to an up-to-date 3.0
>>>> style, in this case it could do 2 things:
>>>> * fill ipakrbprincipalalias
>>>> * fill ipakrbauthzdata (based on default value in IPA config).
>>>
>>> I don't think you're generalizing enough; `service-mod --upgrade` isn't that
>>> different from `service-mod --update-principal-alias --update-authzdata`.
>>> Scripting this to happen for all services could be a nuisance, though. There
>>> should be a way to upgrade all services at once, and since we already have
>>> ipa-ldap-updater for it, it should run as part of that.
>>>
>>> I think we should keep ipakrbprincipal optional, in case the upgrade goes wrong.
>>>
>>
>> I agree. I created an upgrade plugin which should update all services and fill
>> ipakrbprincipalalias during upgrade (attached). I tested 2.2 -> 3.0 upgrade and
>> it worked fine.
>>
>> Martin
>>
>
> There was a glitch in the loop repeating the update when LDAP limits are hit -
> thanks Petr Viktorin for noticing the issue. It is working now, I tried with 10
> affected services and search limit set to 1 entry - and the loop executed 10
> times as it was supposed to.
>
> I also disabled size/time limits for the search in the upgrade plugin. But it
> would also work if default IPA search limits (100 entries) are used, it should
> just make things faster.
>
> Martin

ACK, pushed to master and ipa-3-0.

I tested with > 2500 services.

rob