On Wed, 2014-03-19 at 17:37 +0200, Alexander Bokovoy wrote: > On Fri, 21 Feb 2014, Nathaniel McCallum wrote: > >On Fri, 2014-02-21 at 00:08 +0200, Alexander Bokovoy wrote: > >> On Thu, 20 Feb 2014, Nathaniel McCallum wrote: > >> >> > >>There is an error in libotp's find() function which assumes that > >> >> > >>get_basedn() always returns non-NULL value. This is not true for at > >> >> > >>least cn=Directory Manager. > >> >> > >> > >> >> > >>Patch attached. > >> >> > >More fixes required, now that Thierry produced the fix for 389-ds > >> >> > >ticket > >> >> > >47699 which allows to re-arrange schema-compat and ipa-pwd-extop > >> >> > >plugins. I'm getting crash in find() in libotp.c for internal search > >> >> > >in > >> >> > >some other conditions but at least user dn now is the correct one. > >> >> > > > >> >> > >Stay tuned. > >> >> > OK, finally I've got it working -- my last patch had error which could > >> >> > be attributed to the late night time. > >> >> > > >> >> > New patch is attached to fix libotp to work properly with empty base > >> >> > dn > >> >> > (such as cn=Directory Manager). > >> >> > > >> >> > Also I'm attaching the patch that sets precedence of schema-compat > >> >> > plugin to 49 (less than default 50). With this patch and 389-ds with > >> >> > patch from ticket 47699 compat tree binds work with OTP. > >> >> > > >> >> > When updated 389-ds-base will be released, we'll need to add Requires: > >> >> > to our RPM spec to depend on it. Without the updated 389-ds-base > >> >> > compat > >> >> > tree binds will not work with OTP but the rest will be working fine. > >> >> > > >> >> > Finally, ACK to all OTP patches. > >> >> > >> >> ACK to both of these patches. > >> > > >> >I've merged the first patch here -- > >> >https://www.redhat.com/archives/freeipa-devel/2014-February/msg00341.html > >> > > >> >I just realized the second patch shouldn't be ACK'd until we have a new > >> >389DS release with the fix. When that happens, reissue this patch with > >> >an update versioned require. > >> No, it can be safely merged as 389DS will use default precedence (50) > >> unless > >> the fix is there. So the worst we get is the same as now -- OTP binds > >> will not work over compat tree. And when 389DS will be upgraded, they > >> will start working after 389DS restart. > > > >But this patch doesn't actually do anything until we get the new version > >of 389DS. If we are ever going to add a versioned dependency on the new > >389DS for this feature, it should go in this patch. Otherwise, it is an > >ACK from me. > New 389-DS is in Fedora 20 updates stable and Rawhide already. > 389-ds-base-1.3.2.16-1.fc20. Also, selinux-policy 3.12.1-135 is now in > Fedora 20 updates testing, providing multiple policy enhancements that > make possible Apache process to work with kernel-based credentials > caches. > > Attached patch makes use of the new packages.
ACK _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel