Martin Kosek wrote:
On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
The has_upg() check was created during a transition period for 389-ds.
It is no longer needed and is actually breaking things. The location of
UPG template moved so it thinks the feature is not available. This is
making the primary user's group ipausers instead of the UPG.
rob
Shouldn't we remove has_managed_entries() and its use too? After all, we
claim that this patch fixes #1242 which asks for has_managed_entries()
removal.
Martin
Updated patch attached. It removes has_managed_entries().
rob
Looks good - there is just some leftover in the bottom of commit
message, probably from patch squashing.
However, I was thinking about has_upg() removal. Shouldn't we check if
the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
Otherwise if the plugin is disabled and we would run user-add command
without --noprivate option, we would set nonexistent GID for the user as
the UPG wouldn't be created.
Martin
Ok, good point.
I decided to just fix has_upg() for now.
I'm caching the value so we don't have to do an extra search every
single time we add a user. I don't think this is the kind of thing that
is going to be turned on/off a lot (e.g. you'll turn it off and be done
with it).
rob
>From 4ec97f4d3673bfb0c8c6772acb63c82b270c551a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Thu, 13 Oct 2011 13:07:49 -0400
Subject: [PATCH] Fix has_upg() to work with relocated managed entries
configuration.
https://fedorahosted.org/freeipa/ticket/1964
---
ipaserver/plugins/ldap2.py | 16 +++++++++++++---
1 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 696646c..b921f62 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -33,6 +33,7 @@ import string
import shutil
import tempfile
import time
+import re
import krbV
import logging
@@ -704,19 +705,28 @@ class ldap2(CrudBackend, Encoder):
def has_upg(self):
"""Returns True/False whether User-Private Groups are enabled.
This is determined based on whether the UPG Template exists.
+
We determine this at module load so we don't have to test for
- it every time.
+ it every time. So this means a restart is necessary to pick
+ up the change if a user disables this feature.
"""
global _upg
+ upg_dn = str(DN('cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc', api.env.basedn))
+
if _upg is None:
try:
upg_entry = self.conn.search_s(
- 'cn=UPG Template,cn=etc,%s' % api.env.basedn,
+ upg_dn,
_ldap.SCOPE_BASE,
attrlist=['*']
)[0]
- _upg = True
+ disable_attr = '(objectclass=disable)'
+ if 'originfilter' in upg_entry[1]:
+ org_filter = upg_entry[1]['originfilter']
+ _upg = not bool(re.search(r'%s' % disable_attr, org_filter[0]))
+ else:
+ _upg = False
except _ldap.NO_SUCH_OBJECT, e:
_upg = False
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
