Martin Kosek wrote:
On Thu, 2011-10-13 at 15:09 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Thu, 2011-10-13 at 11:01 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Wed, 2011-10-12 at 23:54 -0400, Rob Crittenden wrote:
The has_upg() check was created during a transition period for 389-ds.
It is no longer needed and is actually breaking things. The
location of
UPG template moved so it thinks the feature is not available. This is
making the primary user's group ipausers instead of the UPG.
rob
Shouldn't we remove has_managed_entries() and its use too? After
all, we
claim that this patch fixes #1242 which asks for has_managed_entries()
removal.
Martin
Updated patch attached. It removes has_managed_entries().
rob
Looks good - there is just some leftover in the bottom of commit
message, probably from patch squashing.
However, I was thinking about has_upg() removal. Shouldn't we check if
the UPG plugin is enabled (the same way we do in ipa-managed-entries)?
Otherwise if the plugin is disabled and we would run user-add command
without --noprivate option, we would set nonexistent GID for the user as
the UPG wouldn't be created.
Martin
Ok, good point.
I decided to just fix has_upg() for now.
I'm caching the value so we don't have to do an extra search every
single time we add a user. I don't think this is the kind of thing that
is going to be turned on/off a lot (e.g. you'll turn it off and be done
with it).
rob
Updated patch to remove caching. Since the config is now replicated if
an admin disables it they would quickly have to restart all Apache
servers on all replicas which is bad.
rob
ipaserver/plugins/ldap2.py:723: [E0001] invalid syntax
return = False? Really? :-)
Martin
I'm feeling very philosophical right now. To return or not return...
rob
>From 31ec8ab77a4e3310d3f14303dca267e9be4574a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Thu, 13 Oct 2011 13:07:49 -0400
Subject: [PATCH] Fix has_upg() to work with relocated managed entries
configuration.
https://fedorahosted.org/freeipa/ticket/1964
---
ipaserver/plugins/ldap2.py | 35 +++++++++++++++++------------------
1 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 696646c..dc71640 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -33,6 +33,7 @@ import string
import shutil
import tempfile
import time
+import re
import krbV
import logging
@@ -191,9 +192,6 @@ def get_schema(url, conn=None):
# Global schema
_schema = None
-# The UPG setting will be cached the first time a module checks it
-_upg = None
-
class ldap2(CrudBackend, Encoder):
"""
LDAP Backend Take 2.
@@ -704,23 +702,24 @@ class ldap2(CrudBackend, Encoder):
def has_upg(self):
"""Returns True/False whether User-Private Groups are enabled.
This is determined based on whether the UPG Template exists.
- We determine this at module load so we don't have to test for
- it every time.
"""
- global _upg
- if _upg is None:
- try:
- upg_entry = self.conn.search_s(
- 'cn=UPG Template,cn=etc,%s' % api.env.basedn,
- _ldap.SCOPE_BASE,
- attrlist=['*']
- )[0]
- _upg = True
- except _ldap.NO_SUCH_OBJECT, e:
- _upg = False
-
- return _upg
+ upg_dn = str(DN('cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc', api.env.basedn))
+
+ try:
+ upg_entry = self.conn.search_s(
+ upg_dn,
+ _ldap.SCOPE_BASE,
+ attrlist=['*']
+ )[0]
+ disable_attr = '(objectclass=disable)'
+ if 'originfilter' in upg_entry[1]:
+ org_filter = upg_entry[1]['originfilter']
+ return not bool(re.search(r'%s' % disable_attr, org_filter[0]))
+ else:
+ return False
+ except _ldap.NO_SUCH_OBJECT, e:
+ return False
@encode_args(1, 2)
def get_effective_rights(self, dn, entry_attrs):
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
