[Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

Tomas Babej tbabej at redhat.com
Fri Aug 9 10:02:46 UTC 2013 

On 08/08/2013 06:20 PM, Martin Kosek wrote:
> On 08/07/2013 04:52 PM, Tomas Babej wrote:
>> On 08/05/2013 05:59 PM, Martin Kosek wrote:
>>> On 07/17/2013 01:47 PM, Tomas Babej wrote:
>>>>> I will release version 3.5 before end of this week. I have some small fixes
>>>>> ready so it is worth to release it now.
>>>>>
>>>>> To summarize the discussion - please remove following options from
>>>>> configuration file and LDAP schema:
>>>>> cache_ttl
>>>>> psearch (attribute idnsPersistentSearch in idnsConfigObject)
>>>>> zone_refresh (attribute idnsZoneRefresh in idnsConfigObject)
>>>>>
>>>>> -- 
>>>>> Petr^2 Spacek
>>>> I have a patch ready, but it can't be tested until 3.5 is out.
>>>>
>>>> Tomas
>>>>
>>> I did not test the patch yet, I just want to comment on one thing I just
>>> noticed.
>>>
>>> I is it a good idea to remove idnsZoneRefresh and idnsPersistentSearch
>>> attribute types and modify idnsConfigObject objectclass?
>>>
>>> This will affect not only new instances, but also the old ones (i.e. RHEL-6.4)
>>> which may still use these attributes. DNS config object would suddenly become
>>> unusable because DS would refuse to operate the entry as it does not follow the
>>> schema. The same applies for ACIs.
>>>
>>> I would personally not do these changes yet, I think just hiding and marking as
>>> DeprecatedParam is enough for now. Alexander, what do you think?
>>>
>>> Martin
>> We discussed this with Martin. I agreed it would be less cumbersome to
>> keep the attributes in schema for now.
>>
>> I retested the patches, updated versions attached.
>>
>> Petr, can bind-dyndb-ldap handle idnsConfigObject containing idnsPersistentSearch
>> and idnsZoneRefresh attributes?
>>
> I still see some schema and aci changes:
>
> --- a/install/updates/10-bind-schema.update
> +++ b/install/updates/10-bind-schema.update
> @@ -44,7 +44,7 @@ add:attributeTypes:
>         SUBSTR caseIgnoreIA5SubstringsMatch
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>         X-ORIGIN 'IPA v2' )
> -add:attributeTypes:
> +remove:attributeTypes:
>       ( 2.16.840.1.113730.3.8.5.16
>         NAME 'idnsZoneRefresh'
>         DESC 'zone refresh interval'
> @@ -52,7 +52,7 @@ add:attributeTypes:
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
>         SINGLE-VALUE
>         X-ORIGIN 'IPA v2' )
> -add:attributeTypes:
> +remove:attributeTypes:
>       ( 2.16.840.1.113730.3.8.5.17
>         NAME 'idnsPersistentSearch'
>         DESC 'allow persistent searches'
> @@ -65,8 +65,7 @@ add:objectClasses:
>         NAME 'idnsConfigObject'
>         DESC 'DNS global config options'
>         STRUCTURAL
> -      MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR $$
> -        idnsZoneRefresh $$ idnsPersistentSearch
> +      MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR
>         ) )
>   add:objectClasses:
>       ( 2.16.840.1.113730.3.8.12.18
>
> AND
>
> -    _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
> idnsforwarders || idnsallowsyncptr || idnszonerefresh ||
> idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl
> "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write
> DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' %
> dict(realm=api.env.basedn)]
> +    _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
> idnsforwarders || idnsallowsyncptr")(target =
> "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS
> Configuration";allow (write) groupdn = "ldap:///cn=Write DNS
> Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]
>
> Besides these, patch worked fine on both upgrade and new installation. So when
> you remove these chunks, it will be ack.
>
> Martin
Updated patch attached.

Tomas

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0073-7-Remove-support-for-IPA-deployments-with-no-persisten.patch
Type: text/x-patch
Size: 30615 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130809/fd31558a/attachment.bin>

More information about the Freeipa-devel mailing list