-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/02/2010 11:35 AM, Eugene Indenbom wrote:
The complete set of patches for LDAP connection framework is attached:
0001-GSSAPI-ticket-expiry-time-is-returned-from-ldap_chil.patch 0002-Added-an-interface-to-query-number-of-configured-and.patch 0003-LDAP-connection-usage-tracking-sharing-and-failover-.patch 0004-Add-an-interface-to-try-next-fail-over-server-after-.patch 0005-Use-new-LDAP-connection-framework-to-get-user-accoun.patch 0006-Use-new-LDAP-connection-framework-to-get-group-accou.patch 0007-Use-new-LDAP-connection-framework-to-get-user-accoun.patch 0008-Use-new-LDAP-connection-framework-for-LDAP-user-and-.patch 0009-Use-new-LDAP-connection-framework-in-LDAP-access-bac.patch 0010-Use-new-LDAP-connection-framework-in-IPA-access-back.patch 0011-Use-new-LDAP-connection-framework-in-IPA-dynamic-DNS.patch 0012-Remove-remainder-of-now-unused-global-LDAP-connectio.patch
All patches except for patch #11 (dynamic DNS updates) were tested as follows:
- The test target was an RPM build with all 12 patches applied
- All modified LDAP queries:
- user account info retrieval (ldap_id.c)
- group info retrieval (ldap_id.c)
- user groups info retrieval (ldap_id.c)
- users and groups enumerations (ldap_id_enum.c)
- LDAP access handler (sdap_access.c)
- IPA access handler (ipa_access.c)
were tested for: - Normal operation - Fail-over retry after communication failure (during LDAP request execution) - Proper error reporting after fail-over retry limit is exceeded - Switching to offline operation when OFFLINE state is detected during LDAP request execution
I do not have an environment to test Dynamic DNS updates. It would be great if somebody could test them.
I'll get started testing these today. I may not get through them all until sometime next week, though. (Monday is a holiday in the USA as well)
Thanks very much!
I am sorry that the complete set of patches is so huge. I have done everything I could to make each patch as small and simple as possible. I would be glad to integrate any suggestions that could simplify or improve the result.
Eugene Indenbom
PS I have found a discrepancy in ONLINE and OFFLINE IPA access handling: when no IPA HBAC rules are defined, it is considered OK during ONLINE operation (PAM_PERM_DENIED is returned) but handled as PAM_SYSTEM_ERR during OFFLINE. Should I create a ticket for that?
Yes, please do. That's definitely wrong.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/