Rob Crittenden wrote:
Martin Kosek wrote:
On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
The has_upg() check was created during a transition period for 389-ds.
It is no longer needed and is actually breaking things. The
location of
UPG template moved so it thinks the feature is not available. This is
making the primary user's group ipausers instead of the UPG.
rob
Shouldn't we remove has_managed_entries() and its use too? After
all, we
claim that this patch fixes #1242 which asks for has_managed_entries()
removal.
Martin
Updated patch attached. It removes has_managed_entries().
rob
Looks good - there is just some leftover in the bottom of commit
message, probably from patch squashing.
However, I was thinking about has_upg() removal. Shouldn't we check if
the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
Otherwise if the plugin is disabled and we would run user-add command
without --noprivate option, we would set nonexistent GID for the user as
the UPG wouldn't be created.
Martin
Ok, good point.
I decided to just fix has_upg() for now.
I'm caching the value so we don't have to do an extra search every
single time we add a user. I don't think this is the kind of thing that
is going to be turned on/off a lot (e.g. you'll turn it off and be done
with it).
rob
Updated patch to remove caching. Since the config is now replicated if
an admin disables it they would quickly have to restart all Apache
servers on all replicas which is bad.
rob
>From 3ed523c363871ca0d1b44ef4f45b1014fb59dfa7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Thu, 13 Oct 2011 13:07:49 -0400
Subject: [PATCH] Fix has_upg() to work with relocated managed entries
configuration.
https://fedorahosted.org/freeipa/ticket/1964
---
ipaserver/plugins/ldap2.py | 35 +++++++++++++++++------------------
1 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 696646c..c7ae5f0 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -33,6 +33,7 @@ import string
import shutil
import tempfile
import time
+import re
import krbV
import logging
@@ -191,9 +192,6 @@ def get_schema(url, conn=None):
# Global schema
_schema = None
-# The UPG setting will be cached the first time a module checks it
-_upg = None
-
class ldap2(CrudBackend, Encoder):
"""
LDAP Backend Take 2.
@@ -704,23 +702,24 @@ class ldap2(CrudBackend, Encoder):
def has_upg(self):
"""Returns True/False whether User-Private Groups are enabled.
This is determined based on whether the UPG Template exists.
- We determine this at module load so we don't have to test for
- it every time.
"""
- global _upg
- if _upg is None:
- try:
- upg_entry = self.conn.search_s(
- 'cn=UPG Template,cn=etc,%s' % api.env.basedn,
- _ldap.SCOPE_BASE,
- attrlist=['*']
- )[0]
- _upg = True
- except _ldap.NO_SUCH_OBJECT, e:
- _upg = False
-
- return _upg
+ upg_dn = str(DN('cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc', api.env.basedn))
+
+ try:
+ upg_entry = self.conn.search_s(
+ upg_dn,
+ _ldap.SCOPE_BASE,
+ attrlist=['*']
+ )[0]
+ disable_attr = '(objectclass=disable)'
+ if 'originfilter' in upg_entry[1]:
+ org_filter = upg_entry[1]['originfilter']
+ return not bool(re.search(r'%s' % disable_attr, org_filter[0]))
+ else:
+ return = False
+ except _ldap.NO_SUCH_OBJECT, e:
+ return = False
@encode_args(1, 2)
def get_effective_rights(self, dn, entry_attrs):
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
