It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed "nisnetgroup" entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way:
In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin.
The work will consist of: 1. Defining the managed entry plugin config for this case 2. Adding this configuration to the installation sequence 3. Updating netgroup searches to filter out managed entries 4. Allow all netgroups in SUDO plugin (I think this is already the case). 5. Add description of how to turn this feature off/on
Since managed entries does not currently allow a definition entry to be deleted, you can not use that approach to disable the feature. You might be able to set the managed entry filter to something that will never be triggered, such as "(objectclass=DISABLED)" as a workaround.
Please try the proposed workaround. If it works then we will use it and defer fixing the DS part till later time.
I have what may be a working patch to allow for proper Managed Entry support when creating a hostgroup to spawn a netgroup. I am working on a stand-alone script similar to 'compat-enable' that would be run to disable/re-enable the plugin post install.
I have been working with nkinder and richm for several days now regarding a bug with the Managed Plugin code that seems to crash the ns-slapd daemon during hostgroup creation.
Patch sent for review freeipa-jraquino-0007-2-managed-entry-hostgroup-netgroup-support.patch
Nice. Can you update the task with these tests as well? I'd suggest trying a netgroup-del testing to confirm that the managed entry can't be deleted.
UPDATE <test confirmed>: ipa netgroup-del testing ipa: ERROR: Server is unwilling to perform: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
Ok, I have adjusted the patch to correct for the errors (and the trailing whitespace).
Fixed the man page (will send in a 1 liner fix for ipa-compat-manage's man page) It now installs host_nis_groups.ldif It now cleanly applies and builds, and functions against the master. It references the 389-ds-base 1.2.7.4.
To test: (Hopefully this is pretty obvious and straight forward)
(1
<should return> Plugin Enabled
(2
<should return> Disabling Plugin
(3
<should return> Enabling Plugin
(4 ipa hostgroup-add testing ipa hostgroup-add-member --host=servername.com testing ipa hostgroup-show testing <should return ipa hostgroup>
(5 ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory Manager' -W <should return>
dn: cn=testing,cn=ng,cn=alt,$SUFFIX objectClass: ipanisnetgroup objectClass: mepManagedEntry objectClass: ipaAssociation objectClass: top cn: testing memberHost: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX description: ipaNetgroup testing mepManagedBy: cn=testing,cn=hostgroups,cn=accounts,$SUFFIX ipaUniqueID: 9d0039ca-04b4-11e0-9494-8a3d259cb0b9
(6 ipa hostgroup-del testing <should return>
(7 ldapsearch -x -b 'cn=testing,cn=ng,cn=alt,$SUFFIX' -x -D 'cn=Directory Manager' -W <should return>
search: 2 result: 32 No such object matchedDN: cn=ng,cn=alt,$SUFFIX
commit 13139f2 Author: Jr Aquino jr.aquino@citrix.com Date: Fri Dec 10 15:21:39 2010 -0800
managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543
Use "IPA" component instead of "Other".
Metadata Update from @dpal: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.0 - 2010/12 (FC)
Login to comment on this ticket.