[Freeipa-devel] [PATCH 0024] Add OTP support to ipalib CLI
Martin Kosek
mkosek at redhat.com
Wed Dec 11 12:31:17 UTC 2013
On 12/11/2013 01:24 PM, Jan Cholasta wrote:
> On 14.11.2013 20:23, Nathaniel McCallum wrote:
>> On Wed, 2013-10-30 at 08:57 +0100, Jan Cholasta wrote:
>>> On 8.10.2013 16:35, Nathaniel McCallum wrote:
>>>> On Tue, 2013-10-08 at 09:19 +0200, Jan Cholasta wrote:
>>>>>
>>>>> +class Base32DecodeError(ExecutionError):
>>>>>
>>>>> Is this really necessary? Are we going to add <encoding>DecodeError for
>>>>> every kind of new encoding in IPA? Can't we just have generic
>>>>> DecodeError? (This is not an issue in your patch per se, I'm just
>>>>> wondering if we can do it better in the framework.)
>>>>
>>>> I added the new error due to the existence of a Base64DecodeError. I
>>>> figured changing the existing error to be more generic would break api.
>>>>
>>>> Nathaniel
>>>>
>>>
>>> I think you can use ConversionError instead. I don't see any reason why
>>> base32/64 decoding errors should be special cased like this and would
>>> like to see Base64DecodeError gone.
>>
>> Fixed.
...
> + # Get the issuer for the URI
> + issuer = api.env.realm
> + if owner is not None:
> + try:
> + issuer = ldap.get_entry(owner,
> ['krbprincipalname'])['krbprincipalname'][0]
> + except:
> + pass
>
> Please use "except PublicError" here, we don't want internal errors to be ignored.
Right. I think what Nathaniel wanted to do is:
except errors.NotFound:
pass
Bare except-pass is wrong on several levels anyway. For example it also catches
syntax or interrupt exceptions.
>
>
> + # Delete all tokens owned by this user
> + owner = self.api.Object.user.get_primary_key_from_dn(dn)
> + results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
> + for token in results:
> + token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
> + self.api.Command.otptoken_del(token)
>
> This should probably be handled by the referint plugin.
>
> Honza
>
I think referint plugin would just remove the attribute containing DN to user,
not the whole entry. I.e. I think Nathaniel need to do it this way anyway.
Though I think it would be more efficient if we do just one 'otptoken_del' call
with the list of tokens as primary key to it. All standard LDAPDelete based
plugins can do that. You may also want to pass continue=True in the list of
it's options in this case.
Martin
More information about the Freeipa-devel
mailing list