Jan Zeleny wrote:
JR Aquino<jr.aqu...@citrix.com> wrote:
On 2/17/11 3:23 AM, "Jan Zelený"<jzel...@redhat.com> wrote:
JR Aquino<jr.aqu...@citrix.com> wrote:
This patch fixes the netgroup plugin's behavior of adding duplicate
entries
when the managed entry plugin creates a netgroup with a mepManagedEntry
This problem is documented in ticket:
https://fedorahosted.org/freeipa/ticket/963
As noted by Endi for issue #3 in the History:
"3. Just out of curiosity, I tried adding a netgroup with the same name
as
the hostgroup. I expected it to conflict with the managed netgroup, but
it
actually worked. Searching the directory will return 2 netgroups with
the
same name:"
Historically the netgroup plugin had inappropriately defined:
rdn_attribute
= 'ipauniqueid' This caused the ability of duplication with the creation
of native netgroups using the ipaUniqueId as the DN and as the Managed
Entry netgroups utilizing the cn as the DN.
Patch includes adjustments for the netgroup plugin and corresponding
test_netgroup_plugin
Please verify that the items requested in #963 are now complete and
please
confirm that the corresponding tests all pass.
One test fails:
FAIL: test_netgroup[30]: netgroup_remove_member: Remove netgroup
u'netgroup2'
>from netgroup u'netgroup1'
Command ipa host-show still shows:
Member of netgroups: testhostgroup
Also a little bit of nitpicking, I think the changed code in chunk 2
would
better look something like this:
search_kw = {}
search_kw['objectclass'] = ['mepManagedEntry']
if not options['private']:
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_NONE)
else:
local_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
filter = ldap.combine_filters((local_filter, filter),
rules=ldap.MATCH_ALL)
--
Jan
It was determined that the ipauniqueid is required for the DN on these
objects.
It's an ipaAssociation which uses it as the rdn, if we change the problems
cascade
This patch has now changed to reflect the optimization in the netgroup
search instead.
It provides a cleaner method of performing a netgroup search for native
netgroups and allows for the --private search to only display the
mepManagedEntry netgroups, rather than ALL netgroups. Previously --private
would return ALL netgroups.
This means there is no need to modify test_netgroup_plugin.
Please verify that the optimization / bugfix passes the standard
test_netgroup_plugin.
Ack
Jan
pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel