On 06/30/2012 12:01 AM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Rob Crittenden wrote: >>> Alexander Bokovoy wrote: >>>> On Fri, 29 Jun 2012, Sumit Bose wrote: >>>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote: >>>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote: >>>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: >>>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: >>>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: >>>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: >>>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: >>>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: >>>>>> > > > > > > > >>>>>> > > > > > > > to keep track of the different ranges we use for >>>>>> UIDs/GIDs for local >>>>>> > > > > > > > users/groups and users from trusted domains new range >>>>>> objects are >>>>>> > > > > > > > introduced which are stored below >>>>>> cn=range,cn=etc,$SUFFIX. >>>>>> > > > > > > > >>>>>> > > > > > > > 0022: LDAP schema update >>>>>> > > > > > > >>>>>> > > > > > > ack >>>>>> > > > > > > >>>>>> > > > > > > > 0023: Create a range object during installation fir the >>>>>> local ID range >>>>>> > > > > > > >>>>>> > > > > > > nack, I think we need to find a way to handle adding at >>>>>> least the base >>>>>> > > > > > > range on update. Otherwise an updated server won't be >>>>>> able to have IDs >>>>>> > > > > > > for most of its users. >>>>>> > > > > > >>>>>> > > > > > I fully agree, but since we said that we concentrate on >>>>>> update issues in >>>>>> > > > > > beta2 I wanted to send the version for the fresh install >>>>>> first to allow >>>>>> > > > > > testing. >>>>>> > > > > >>>>>> > > > > The reason I'd like updates is that this patchset can be >>>>>> installed on >>>>>> > > > > top of existing servers for testing w/o having to reinstall >>>>>> from scratch >>>>>> > > > > or manually creating the ipaDomainIDRange object :):) >>>>>> > > > >>>>>> > > > ok, will do. >>>>>> > > > >>>>>> > > > Do you otherwise agree with the patches or is there something I >>>>>> should >>>>>> > > > change while adding the updates? >>>>>> > > > >>>>>> > > > bye, >>>>>> > > > Sumit >>>>>> > > > >>>>>> > > > > >>>>>> > > > > > > >>>>>> > > > > > > > 0024: add primary and secondary RID base to the local >>>>>> range object >>>>>> > > > > > > > during ipa-adtrust-install >>>>>> > > > > > > >>>>>> > > > > > > Not sure if setting the range belongs in the previous >>>>>> patch or this one. >>>>>> > > > > > >>>>>> > > > > > I think it is right here, because a plain IPA server does >>>>>> not need the >>>>>> > > > > > RID related attributes. >>>>>> > > > > > >>>>>> > > > > > > We might decide to ask questions during >>>>>> ipa-adtrust-install if the range >>>>>> > > > > > > is not available, maybe presenting a set of pre-canned >>>>>> choices if we can >>>>>> > > > > > > detect them. >>>>>> > > > > > >>>>>> > > > > > I agree here, too. But as above I would like to handle >>>>>> update issues >>>>>> > > > > > in a second round. >>>>>> > > > > > >>>>>> > > > > > > >>>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber >>>>>> < base and >>>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect >>>>>> any ID the >>>>>> > > > > > > falls outside the configured range (either because we >>>>>> failed to detect >>>>>> > > > > > > ranges on upgrade and the user botched the question or >>>>>> because the admin >>>>>> > > > > > > added arbitrary IDs. >>>>>> > > > > > > If a warning we should warn that missing a range that >>>>>> suitably covers >>>>>> > > > > > > these IDs, those users/groups will not be available for >>>>>> the trust. >>>>>> > > > > > > >>>>>> > > > > > > Maybe we should also have a simple ipa command that can >>>>>> list all >>>>>> > > > > > > users/groups that fall outside the ranges as well. >>>>>> > > > > > >>>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa >>>>>> range-add', 'ipa >>>>>> > > > > > range-find' etc. I can add it there. >>>>>> > > > > > >>>>>> > > >>>>>> > > Hi, >>>>>> > > >>>>>> > > this new series of patches add the cli plugin to create the ID >>>>>> ranges >>>>>> > > manually. I'm still working on a detection of the locally used id >>>>>> range >>>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which >>>>>> rejects >>>>>> > > new ranges which overlaps with existing ones. >>>>>> > > >>>>>> > > bye, >>>>>> > > Sumit >>>>>> > >>>>>> > the attached patch adds a preop plugin which checks for overlaps >>>>>> with >>>>>> > existing ranges. >>>>>> > >>>>>> > bye, >>>>>> > Sumit >>>>>> >>>>>> Finally I added a method to guess and create the initial ID range, >>>>>> if no >>>>>> one is preset, e.g. when updating from an older version of freeIPA. A >>>>>> full series of patches is attached. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>> >>>>> This version of patches fixes review comments by Alexander and also >>>>> adds >>>>> some test for the range CLI plugin which were kindly provided by >>>>> Alexander. >>>> ACK >>>> >>> >>> These patches aren't applying for me. >>> >>> rob >> >> Hmm. Pulled a fresh tree and they imported fine. >> >> pushed to master >> >> rob > > I had only pushed 22-24 before, pushed 25 and 29 as well. > > rob >
I examined the latest changes and found several rather serious issues which will break this functionality on upgraded servers: https://fedorahosted.org/freeipa/ticket/2891 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel