On 03/02/2011 08:50 PM, Jakub Hrozek wrote:
On Wed, Feb 23, 2011 at 12:36:06PM -0500, Rob Crittenden wrote:
Jakub Hrozek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/23/2011 04:47 PM, Rob Crittenden wrote:
Jakub Hrozek wrote:
Replace only if old and new have nothing in common
This has problems when removing the last member. There is no adds, rems
has a single value (the member being removed). The intersection is 0 so
force_replace gets set to True and nothing ends up getting done.
I added a len(v)> 0 to this conditional and it seems to work. I also
added a small test case based on Endi's initial report. I'm getting a
100% test pass rate.
rob
I hit one more problem with the patch, although I'm not entirely sure
how is that possible - when a user is renamed, his memberof becomes
indirect memberof:
# ipa user-mod --rename test2 test
- --------------------
Modified user "test"
- --------------------
User login: test2
First name: Test
Last name: User
Home directory: /home/test
Login shell: /bin/sh
Account disabled: False
Indirect Member of group: ipausers
I think this is another timing issue with 389-ds postop plugins,
this time the referential integrity plugin. I don't think this is
related to this change.
We start with:
dn: uid=test, ...
uid: test
memberOf: ipausers
dn: cn=ipausers, ...
cn: ipausers
member: uid=test,...
When we we do the rename we immediately end up with:
dn: uid=test2, ..
uid: test2
memberOf: ipausers
dn: cn=ipausers, ...
cn: ipausers
member: uid=test, ...
We determine indirect membership by comparing the user's memberOf
with the results of a query for member=uid=test2
If the refint plugin hasn't updated the ipausers group by the time
we do the query the user will appear to be an indirect member.
rob
OK, you're probably right, I can't reproduce the issue anymore.
This patch has an ACK from me. Since this is a very low-level change
at a late stage, I have asked Martin to take a second look.
Jakub
Tested a few corner cases and it seems to be cool. ACK from me too.
Pavel
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
