Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Pavel Zuna wrote: Rob Crittenden wrote: Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. Not necessarily. It's just a matter of tweaking the search filter. We can search only for CoS entries, that have the krbContainer object class and their krbPwdReference attribute contains a group DN. Oh right, duh. Yeah, it is even simpler than that as we don't need to look at group dns because only group policy is stored this way. New patch attached. rob The patch looks fine, but doesn't apply since the original patch was pushed. Pavel Ok, I just pushed out the diff in unique_priority then. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Rob Crittenden wrote: Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. Not necessarily. It's just a matter of tweaking the search filter. We can search only for CoS entries, that have the krbContainer object class and their krbPwdReference attribute contains a group DN. Oh right, duh. Yeah, it is even simpler than that as we don't need to look at group dns because only group policy is stored this way. New patch attached. rob The patch looks fine, but doesn't apply since the original patch was pushed. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Pavel Zůna wrote: Rob Crittenden wrote: Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. Not necessarily. It's just a matter of tweaking the search filter. We can search only for CoS entries, that have the krbContainer object class and their krbPwdReference attribute contains a group DN. Oh right, duh. Yeah, it is even simpler than that as we don't need to look at group dns because only group policy is stored this way. New patch attached. rob freeipa-404-2-pwpolicy.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Rob Crittenden wrote: Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. Not necessarily. It's just a matter of tweaking the search filter. We can search only for CoS entries, that have the krbContainer object class and their krbPwdReference attribute contains a group DN. rob Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Pavel Zuna wrote: Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel Well, we may need to store the group policy entries in a subtree then. All CoS policies are currently dumped into the same place making this impossible. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
Jason Gerard DeRose wrote: On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob ack. pushed to master. The patch works, but I find the way it checks for priority uniqueness highly ineffective. It pulls out all policies and then retrieves their CoS entries one by one to do the checking. Instead it should just make a search for a CoS entry with the given priority. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 ensure priority is unique
On Fri, 2010-03-12 at 18:01 -0500, Rob Crittenden wrote: > Ensure that the group policy priority is unique. > > We use CoS to determine the order in which group policy is applied. The > behavior in CoS is undefined for multiple entries with the same > cospriority. > > This likely relies on some other outstanding pwpolicy patches. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 404 ensure priority is unique
Ensure that the group policy priority is unique. We use CoS to determine the order in which group policy is applied. The behavior in CoS is undefined for multiple entries with the same cospriority. This likely relies on some other outstanding pwpolicy patches. rob freeipa-404-pwpolicy.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel