Re: [Freeipa-devel] [PATCH, 4.1] 0166 updater: enable uid uniqueness plugin for posixAccount objects

Tue, 21 Oct 2014 02:24:08 -0700 

On Tue, 21 Oct 2014, thierry bordaz wrote:

On 10/20/2014 08:25 PM, Alexander Bokovoy wrote:

Hi!

This patch is for ipa-4-1 branch to enable uniqueness plugin for uid
attribute for entries with objectclass posixAccount.

We don't have uid uniqueness enforced in FreeIPA < 4.1 yet but for
posixAccounts it worked due to our design of a flat tree: as uid attribute is part of the DN, renaming user entries 
enforces uniqueness as MODRDN will fail if entry with the same uid
already exists.

However, it is not enough for ID views -- we should be able to allow
ID view overrides for the same uid across multiple views and we should
be able to protect uid uniqueness more generally too.

Implementation is done via update plugin that checks for existing uid
uniqueness plugin and if it is missing, it will be added. If plugin
exists, its configuration will be updated.

I haven't added update specific to git master where staging subtree is
added but I'll do that after FreeIPA 4.1 release as in 4.1 we don't yet
have the staging subtree. Currently master has broken setup for uid
uniqueness plugin that doesn't actually work anyway so it will be easier
to add upgrade over properly configured entry.

https://fedorahosted.org/freeipa/ticket/4636



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Hello Alexander,

  In case the DS instance has an already enabled uniqueness 'uid' plugin.
  I wonder if there is a risk if the configuration of the plugin
  contains former attributes like nsslapd-pluginarg0.
  My understanding is that ldap.update_entry will keep those former
  attributes and add new config attribute like
  uniqueness-across-all-subtrees.
  If this is the case, DS will incorrectly configure the plugin
  because it does not support mixed configuration style.
  In that case it will consider only former attributes.

Yes, this is why I'm saying the support for it will be added with a
patch to master. We don't have uid uniqueness enabled in anything prior
FreeIPA 4.1 and the code in git master is the only place where wrong
config could come. I want to establish clear base from which the
conversion will come.





--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to