[Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
Martin Kosek
mkosek at redhat.com
Fri Aug 9 10:16:35 UTC 2013
On 08/09/2013 12:02 PM, Tomas Babej wrote:
> On 08/08/2013 06:20 PM, Martin Kosek wrote:
>> On 08/07/2013 04:52 PM, Tomas Babej wrote:
>>> On 08/05/2013 05:59 PM, Martin Kosek wrote:
>>>> On 07/17/2013 01:47 PM, Tomas Babej wrote:
>>>>>> I will release version 3.5 before end of this week. I have some small fixes
>>>>>> ready so it is worth to release it now.
>>>>>>
>>>>>> To summarize the discussion - please remove following options from
>>>>>> configuration file and LDAP schema:
>>>>>> cache_ttl
>>>>>> psearch (attribute idnsPersistentSearch in idnsConfigObject)
>>>>>> zone_refresh (attribute idnsZoneRefresh in idnsConfigObject)
>>>>>>
>>>>>> --
>>>>>> Petr^2 Spacek
>>>>> I have a patch ready, but it can't be tested until 3.5 is out.
>>>>>
>>>>> Tomas
>>>>>
>>>> I did not test the patch yet, I just want to comment on one thing I just
>>>> noticed.
>>>>
>>>> I is it a good idea to remove idnsZoneRefresh and idnsPersistentSearch
>>>> attribute types and modify idnsConfigObject objectclass?
>>>>
>>>> This will affect not only new instances, but also the old ones (i.e. RHEL-6.4)
>>>> which may still use these attributes. DNS config object would suddenly become
>>>> unusable because DS would refuse to operate the entry as it does not follow
>>>> the
>>>> schema. The same applies for ACIs.
>>>>
>>>> I would personally not do these changes yet, I think just hiding and
>>>> marking as
>>>> DeprecatedParam is enough for now. Alexander, what do you think?
>>>>
>>>> Martin
>>> We discussed this with Martin. I agreed it would be less cumbersome to
>>> keep the attributes in schema for now.
>>>
>>> I retested the patches, updated versions attached.
>>>
>>> Petr, can bind-dyndb-ldap handle idnsConfigObject containing
>>> idnsPersistentSearch
>>> and idnsZoneRefresh attributes?
>>>
>> I still see some schema and aci changes:
>>
>> --- a/install/updates/10-bind-schema.update
>> +++ b/install/updates/10-bind-schema.update
>> @@ -44,7 +44,7 @@ add:attributeTypes:
>> SUBSTR caseIgnoreIA5SubstringsMatch
>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>> X-ORIGIN 'IPA v2' )
>> -add:attributeTypes:
>> +remove:attributeTypes:
>> ( 2.16.840.1.113730.3.8.5.16
>> NAME 'idnsZoneRefresh'
>> DESC 'zone refresh interval'
>> @@ -52,7 +52,7 @@ add:attributeTypes:
>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
>> SINGLE-VALUE
>> X-ORIGIN 'IPA v2' )
>> -add:attributeTypes:
>> +remove:attributeTypes:
>> ( 2.16.840.1.113730.3.8.5.17
>> NAME 'idnsPersistentSearch'
>> DESC 'allow persistent searches'
>> @@ -65,8 +65,7 @@ add:objectClasses:
>> NAME 'idnsConfigObject'
>> DESC 'DNS global config options'
>> STRUCTURAL
>> - MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR $$
>> - idnsZoneRefresh $$ idnsPersistentSearch
>> + MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR
>> ) )
>> add:objectClasses:
>> ( 2.16.840.1.113730.3.8.12.18
>>
>> AND
>>
>> - _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
>> idnsforwarders || idnsallowsyncptr || idnszonerefresh ||
>> idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl
>> "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write
>> DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' %
>> dict(realm=api.env.basedn)]
>> + _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy ||
>> idnsforwarders || idnsallowsyncptr")(target =
>> "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS
>> Configuration";allow (write) groupdn = "ldap:///cn=Write DNS
>> Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' %
>> dict(realm=api.env.basedn)]
>>
>> Besides these, patch worked fine on both upgrade and new installation. So when
>> you remove these chunks, it will be ack.
>>
>> Martin
> Updated patch attached.
>
> Tomas
>
ACK! Pushed to master.
Martin
More information about the Freeipa-devel
mailing list