[PATCH] Make it possible to inherit ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups into subdomains
Hi,
the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups.
On (11/05/15 10:47), Jakub Hrozek wrote:
Hi,
the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups.
From 07e467c409d7b1b5386eb0221e1e873c2b71fcb1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhrozek@redhat.com Date: Tue, 28 Apr 2015 13:48:42 +0200 Subject: [PATCH 4/4] subdomains: Inherit cleanup period and tokengroup settings from parent domain
Allows the administrator to extend the functionality of ldap_purge_cache_timeout and ldap_use_tokengroups to the subdomains.
This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627
src/man/sssd.conf.5.xml | 6 ++++++ src/providers/ad/ad_subdomains.c | 4 ++++ src/providers/ipa/ipa_subdomains.c | 4 ++++ src/providers/ldap/ldap_common.c | 19 +++++++++++++++++++ src/providers/ldap/ldap_common.h | 4 ++++ 5 files changed, 37 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 98c8ea2ff1462139c398cf0be6273b985442b6b6..bc0bb94143e53ead34b43d5500b18e44f50d71ae 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -492,6 +492,12 @@ ignore_group_members </para> <para>
ldap_purge_cache_timeout</para><para>ldap_use_tokengroups</para><para> Example: <programlisting>
I have another candidate. Some users does not use UPN as we expected. We might add "ldap_user_principal" as well.
LS
On Fri, May 15, 2015 at 08:39:07AM +0200, Lukas Slebodnik wrote:
On (11/05/15 10:47), Jakub Hrozek wrote:
Hi,
the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups.
From 07e467c409d7b1b5386eb0221e1e873c2b71fcb1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhrozek@redhat.com Date: Tue, 28 Apr 2015 13:48:42 +0200 Subject: [PATCH 4/4] subdomains: Inherit cleanup period and tokengroup settings from parent domain
Allows the administrator to extend the functionality of ldap_purge_cache_timeout and ldap_use_tokengroups to the subdomains.
This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627
src/man/sssd.conf.5.xml | 6 ++++++ src/providers/ad/ad_subdomains.c | 4 ++++ src/providers/ipa/ipa_subdomains.c | 4 ++++ src/providers/ldap/ldap_common.c | 19 +++++++++++++++++++ src/providers/ldap/ldap_common.h | 4 ++++ 5 files changed, 37 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 98c8ea2ff1462139c398cf0be6273b985442b6b6..bc0bb94143e53ead34b43d5500b18e44f50d71ae 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -492,6 +492,12 @@ ignore_group_members </para> <para>
ldap_purge_cache_timeout</para><para>ldap_use_tokengroups</para><para> Example: <programlisting>I have another candidate. Some users does not use UPN as we expected. We might add "ldap_user_principal" as well.
Yes :-) See the latest (private) comments in #1211631.
On Fri, May 15, 2015 at 08:39:07AM +0200, Lukas Slebodnik wrote:
On (11/05/15 10:47), Jakub Hrozek wrote:
Hi,
the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups.
From 07e467c409d7b1b5386eb0221e1e873c2b71fcb1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhrozek@redhat.com Date: Tue, 28 Apr 2015 13:48:42 +0200 Subject: [PATCH 4/4] subdomains: Inherit cleanup period and tokengroup settings from parent domain
Allows the administrator to extend the functionality of ldap_purge_cache_timeout and ldap_use_tokengroups to the subdomains.
This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627
src/man/sssd.conf.5.xml | 6 ++++++ src/providers/ad/ad_subdomains.c | 4 ++++ src/providers/ipa/ipa_subdomains.c | 4 ++++ src/providers/ldap/ldap_common.c | 19 +++++++++++++++++++ src/providers/ldap/ldap_common.h | 4 ++++ 5 files changed, 37 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 98c8ea2ff1462139c398cf0be6273b985442b6b6..bc0bb94143e53ead34b43d5500b18e44f50d71ae 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -492,6 +492,12 @@ ignore_group_members </para> <para>
ldap_purge_cache_timeout</para><para>ldap_use_tokengroups</para><para> Example: <programlisting>I have another candidate. Some users does not use UPN as we expected. We might add "ldap_user_principal" as well.
Hi,
attached patches also make it possible to inherit ldap_user_principal.
On Fri, May 22, 2015 at 06:50:02PM +0200, Jakub Hrozek wrote:
On Fri, May 15, 2015 at 08:39:07AM +0200, Lukas Slebodnik wrote:
On (11/05/15 10:47), Jakub Hrozek wrote:
Hi,
the attached patches are a short-term fix until subdomains can be configured separately in the config file. They add a new option subdomain_inherit and make it possible to inherit three options we learned our users care about for subdomains - ignore_group_members, ldap_purge_cache_timeout and ldap_use_tokengroups.
From 07e467c409d7b1b5386eb0221e1e873c2b71fcb1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhrozek@redhat.com Date: Tue, 28 Apr 2015 13:48:42 +0200 Subject: [PATCH 4/4] subdomains: Inherit cleanup period and tokengroup settings from parent domain
Allows the administrator to extend the functionality of ldap_purge_cache_timeout and ldap_use_tokengroups to the subdomains.
This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627
src/man/sssd.conf.5.xml | 6 ++++++ src/providers/ad/ad_subdomains.c | 4 ++++ src/providers/ipa/ipa_subdomains.c | 4 ++++ src/providers/ldap/ldap_common.c | 19 +++++++++++++++++++ src/providers/ldap/ldap_common.h | 4 ++++ 5 files changed, 37 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 98c8ea2ff1462139c398cf0be6273b985442b6b6..bc0bb94143e53ead34b43d5500b18e44f50d71ae 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -492,6 +492,12 @@ ignore_group_members </para> <para>
ldap_purge_cache_timeout</para><para>ldap_use_tokengroups</para><para> Example: <programlisting>I have another candidate. Some users does not use UPN as we expected. We might add "ldap_user_principal" as well.
Hi,
attached patches also make it possible to inherit ldap_user_principal.
Bump..
Hello Jakub,
1st patch: I remember Lukas having problems with such patches - to quote him:
The most problematic part is that man page is updated before feature is implemented. Opposite order of patches could be acceptable but I prefer to have change in man page for small features in the same patch.
I'm CCing him if he wants to comment otherwise it's fine by me.
+++ b/src/man/sssd.conf.5.xml @@ -479,7 +479,25 @@ </para> </listitem> </varlistentry>
<varlistentry><term>subdomain_inherit (string)</term><listitem><para>Specifies a list of configurationparameters that
should be inherited by a subdomain.Please note
that only selected parametrs can beinherited.
typo: paramet*e*rs
</para><para>
2nd patch) Would you mind making parent_dom const?
+void dp_option_inherit(struct sss_domain_info *parent_dom,
int option,struct dp_option *parent_opts,struct dp_option *subdom_opts)
3rd patch)
+errno_t sdap_copy_map_entry(struct sdap_attr_map *src_map,
const?
struct sdap_attr_map *dst_map,int entry_index)+{
- if (src_map[entry_index].name != NULL) {
dst_map[entry_index].name = talloc_strdup(dst_map,- src_map[entry_index].name);
formatting issue
if (dst_map[entry_index].name == NULL) {return ENOMEM;}- } else {
src_map->name = NULL;
dst_map?
- }
- return EOK;
+}
I suppose that test_sdap_copy_map_entry_null_name needs dst_map not to be nulled to work properly.
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
sdap_copy_map_entry(parent_user_map, child_user_map, i);
s/i/inherit_options[i] ?
- }
+}
I'm going to test the patches now.
Thanks!
On Wed, Jun 03, 2015 at 03:36:03PM +0200, Pavel Reichl wrote:
Hello Jakub,
1st patch: I remember Lukas having problems with such patches - to quote him:
The most problematic part is that man page is updated before feature is implemented. Opposite order of patches could be acceptable but I prefer to have change in man page for small features in the same patch.
I'm CCing him if he wants to comment otherwise it's fine by me.
+++ b/src/man/sssd.conf.5.xml @@ -479,7 +479,25 @@ </para> </listitem> </varlistentry>
<varlistentry><term>subdomain_inherit (string)</term><listitem><para>Specifies a list of configuration parametersthat
should be inherited by a subdomain. Pleasenote
that only selected parametrs can beinherited.
typo: paramet*e*rs
Fixed
</para><para>2nd patch) Would you mind making parent_dom const?
Done
+void dp_option_inherit(struct sss_domain_info *parent_dom,
int option,struct dp_option *parent_opts,struct dp_option *subdom_opts)3rd patch)
+errno_t sdap_copy_map_entry(struct sdap_attr_map *src_map,
const?
Done
struct sdap_attr_map *dst_map,int entry_index)+{
- if (src_map[entry_index].name != NULL) {
dst_map[entry_index].name = talloc_strdup(dst_map,- src_map[entry_index].name);
formatting issue
Fixed
if (dst_map[entry_index].name == NULL) {return ENOMEM;}- } else {
src_map->name = NULL;dst_map?
- }
- return EOK;
+}
I suppose that test_sdap_copy_map_entry_null_name needs dst_map not to be nulled to work properly.
Fixed
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
sdap_copy_map_entry(parent_user_map, child_user_map, i);s/i/inherit_options[i] ?
No, the parameter is an integer.
- }
+}
I'm going to test the patches now.
Thanks!
Thank you, new patches are attached.
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
sdap_copy_map_entry(parent_user_map, child_user_map, i);s/i/inherit_options[i] ?
No, the parameter is an integer.
Yes, it's integer - I'd expect that you want to call:
sdap_copy_map_entry(parent_user_map, child_user_map, SDAP_AT_USER_PRINC) rather then sdap_copy_map_entry(parent_user_map, child_user_map, 0)
I don't see what's the point of values of inherit_options at all if the code would be right...I'll have another look tomorrow with fresh eyes.
Jakub it must be a typo - I can't resolve user from subdomain with patches applied, but if I do the proposed change resolving of subdomain users starts to work.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On Wed, Jun 03, 2015 at 06:04:36PM +0200, Pavel Reichl wrote:
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
sdap_copy_map_entry(parent_user_map, child_user_map, i);s/i/inherit_options[i] ?
No, the parameter is an integer.
Yes, it's integer - I'd expect that you want to call:
sdap_copy_map_entry(parent_user_map, child_user_map, SDAP_AT_USER_PRINC) rather then sdap_copy_map_entry(parent_user_map, child_user_map, 0)
I don't see what's the point of values of inherit_options at all if the code would be right...I'll have another look tomorrow with fresh eyes.
Jakub it must be a typo - I can't resolve user from subdomain with patches applied, but if I do the proposed change resolving of subdomain users starts to work.
Of course you're right, sorry.
2nd patch)
+/* =Copy-Option-From-Subdomain-If-Allowed================================= */
Should be Copy-Option-From-Parent?
+void dp_option_inherit(const struct sss_domain_info *parent_dom,
Sorry for late notice, but would it be a good idea to pass parent_dom->sd_inherit instead of parent_dom? I mean it's better to pass only input data needed by function directly and I guess testing would be a little shorter, but since it's already done I really don't insist. I'm just proposing.
int option,struct dp_option *parent_opts,struct dp_option *subdom_opts)+{
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
Shouldn't we check inherit_option here as well otherwise SDAP_AT_USER_PRINC gets inherited always.
- sdap_copy_map_entry(parent_user_map,
child_user_map,inherit_options[i]);- }
+}
On Thu, Jun 04, 2015 at 05:41:09PM +0200, Pavel Reichl wrote:
2nd patch)
+/* =Copy-Option-From-Subdomain-If-Allowed================================= */
Should be Copy-Option-From-Parent?
+void dp_option_inherit(const struct sss_domain_info *parent_dom,
Sorry for late notice, but would it be a good idea to pass parent_dom->sd_inherit instead of parent_dom? I mean it's better to pass only input data needed by function directly and I guess testing would be a little shorter, but since it's already done I really don't insist. I'm just proposing.
Done for both dp_option_inherit and sdap_inherit_user_options(). The only downside I see is that the string list is not const, becase string_in_list accepts non-const string.
We could add string_in_clist() I guess, or even keep the sdap_* and dp_* interface with const but discard const before calling string_in_list..
int option,struct dp_option *parent_opts,struct dp_option *subdom_opts)+{
5th patch)
+static void sdap_inherit_user_options(struct sss_domain_info *parent_dom,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
Shouldn't we check inherit_option here as well otherwise SDAP_AT_USER_PRINC gets inherited always.
You're right and that was a really sloppy patch.
New patchset is attached.
- sdap_copy_map_entry(parent_user_map,
child_user_map,inherit_options[i]);- }
+}
On 06/05/2015 12:36 PM, Jakub Hrozek wrote: [snip]
You're right and that was a really sloppy patch.
New patchset is attached.
Actually I'm happy to see that not just my patches need more passes to be acked :-).
5th patch)
+static void sdap_inherit_user_options(char **inherit_opt_list,
struct sdap_attr_map*parent_user_map,
struct sdap_attr_map*child_user_map) +{
- int inherit_options[] = {
SDAP_AT_USER_PRINC,SDAP_OPTS_USER /* sentinel */- };
- int i;
- int opt_index;
- bool inherit_option;
- for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
opt_index = inherit_options[i];inherit_option =string_in_list(parent_user_map[opt_index].opt_name,
inherit_opt_list,false);if (inherit_option == false) {continue;}sdap_copy_map_entry(parent_user_map,child_user_map,inherit_options[i]);
Before pushing you might 's/inherit_options[i]/opt_index/' to reuse newly introduced variable but I don't really care.
- }
+}
CI passed: http://sssd-ci.duckdns.org/logs/job/16/81/summary.html
My testing passed. I found just one nitpick and I leave it to Jakub's discretion how to handle it.
ACK
On Fri, Jun 05, 2015 at 02:38:00PM +0200, Pavel Reichl wrote:
CI passed: http://sssd-ci.duckdns.org/logs/job/16/81/summary.html
My testing passed. I found just one nitpick and I leave it to Jakub's discretion how to handle it.
ACK
Thanks, good idea. Please see one more round of patches, only the sdap_copy_map_entry() call was changed.
On 06/05/2015 02:53 PM, Jakub Hrozek wrote:
On Fri, Jun 05, 2015 at 02:38:00PM +0200, Pavel Reichl wrote:
CI passed: http://sssd-ci.duckdns.org/logs/job/16/81/summary.html
My testing passed. I found just one nitpick and I leave it to Jakub's discretion how to handle it.
ACK
Thanks, good idea. Please see one more round of patches, only the sdap_copy_map_entry() call was changed.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
I quickly successfully retested the patch. CI still passes: http://sssd-ci.duckdns.org/logs/job/16/82/summary.html
ACK
On Fri, Jun 05, 2015 at 03:36:49PM +0200, Pavel Reichl wrote:
On 06/05/2015 02:53 PM, Jakub Hrozek wrote:
On Fri, Jun 05, 2015 at 02:38:00PM +0200, Pavel Reichl wrote:
CI passed: http://sssd-ci.duckdns.org/logs/job/16/81/summary.html
My testing passed. I found just one nitpick and I leave it to Jakub's discretion how to handle it.
ACK
Thanks, good idea. Please see one more round of patches, only the sdap_copy_map_entry() call was changed.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
I quickly successfully retested the patch. CI still passes: http://sssd-ci.duckdns.org/logs/job/16/82/summary.html
ACK
Thank you for the review, pushed upstream:
master: 9b162bf39ef75629f54ffa1d0bd5f9c13119b650 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44 12089241f6a6eabf4f0c95669e5fc2bb3b503c06 b3d110fbc424a03674a6e50e489a7cbab9702f0b 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8 sssd-1-12: 602eb710c62c192060debad3062f13677ec3b105 27d8524cf635d61d93c71539709a30e1205dcaf1 155e6c7223b732bfcb2984aa79462f60c092bba8 37a84884634e6e969c3617dac7fa1e463f42177b da2d33f81746a9bf8abd97becaf17005e4f89d2c
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Pavel Reichl