On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: > On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > >> > >>There is an error in libotp's find() function which assumes that > >> > >>get_basedn() always returns non-NULL value. This is not true for at > >> > >>least cn=Directory Manager. > >> > >> > >> > >>Patch attached. > >> > >More fixes required, now that Thierry produced the fix for 389-ds ticket > >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >> > >plugins. I'm getting crash in find() in libotp.c for internal search in > >> > >some other conditions but at least user dn now is the correct one. > >> > > > >> > >Stay tuned. > >> > OK, finally I've got it working -- my last patch had error which could > >> > be attributed to the late night time. > >> > > >> > New patch is attached to fix libotp to work properly with empty base dn > >> > (such as cn=Directory Manager). > >> > > >> > Also I'm attaching the patch that sets precedence of schema-compat > >> > plugin to 49 (less than default 50). With this patch and 389-ds with > >> > patch from ticket 47699 compat tree binds work with OTP. > >> > > >> > When updated 389-ds-base will be released, we'll need to add Requires: > >> > to our RPM spec to depend on it. Without the updated 389-ds-base compat > >> > tree binds will not work with OTP but the rest will be working fine. > >> > > >> > Finally, ACK to all OTP patches. > >> > >> ACK to both of these patches. > > > >I've merged the first patch here -- > >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > > > >I just realized the second patch shouldn't be ACK'd until we have a new > >389DS release with the fix. When that happens, reissue this patch with > >an update versioned require. > No, it can be safely merged as 389DS will use default precedence (50) unless > the fix is there. So the worst we get is the same as now -- OTP binds > will not work over compat tree. And when 389DS will be upgraded, they > will start working after 389DS restart.
But this patch doesn't actually do anything until we get the new version of 389DS. If we are ever going to add a versioned dependency on the new 389DS for this feature, it should go in this patch. Otherwise, it is an ACK from me. Nathaniel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel