On Wed, 2009-11-04 at 17:32 +0100, Sumit Bose wrote:
On Mon, Nov 02, 2009 at 05:28:20PM +0100, Sumit Bose wrote:
> Hi,
>
> this is the first part of the access target of the IPA provider. It is
> not complete but I thought it might be easier to review if the next
> features are coming in smaller patches. Currently the service and user
> data of the HBAC rules are evaluate.
>
> If you want to test it you need a current IPA v2 server together with
> some uncommited patches, namely
> - [PATCH] Make ldap2.convert_attr_synonyms more robust against schema
> lookup fails.
> - [Freeipa-devel] [PATCH] Handle ipaEnabledFlag as bool (TRUE/FALSE)
> instead of string (enabled/disabled).
>
> and if you use 1.9.0
> - [Freeipa-devel] [PATCH] 303 proper syntax for fqdn
>
> bye,
> Sumit
Hi,
this is a new version which addresses a couple of issues which were
discussed on irc, namely
- output variables after input variable in evaluate_ipa_hbac_rules()
- use the same context as the id provider to save the second LDAP
connection
- store the original memberOf attributes as origMemberOf in sysdb
Looks good to me.
The only thing is that I have defined SYSDB_ORIG_MEMBEROF
"originalMemberOf" in my recent patches. I guess you should use that one
instead of IPA_HOST_ORIGMEMBEROF.
Simo.
--
Simo Sorce * Red Hat, Inc * New York