Issue #3007: ipa winsync should work with the new 389 posix-winsync plugin - freeipa

freeipa

#3007 ipa winsync should work with the new 389 posix-winsync plugin

Closed: Fixed None Opened 11 years ago by rmeggins.

389 1.2.11.11 adds support for syncing posix attributes in a new posix winsync plugin. In order for this plugin to work in conjunction with the ipa winsync plugin, the ipa winsync plugin will have to first check to see if the incoming user entry already has the posix attributes, and not add them if so. The 389 winsync v3 api adds a precedence callback - this works exactly the same way as the regular slapi plugin precedence (i.e. a lower precedence means it is called earlier). The ipa winsync plugin should use this callback to guarantee a higher precedence than the 389 posix winsync plugin precedence.

rcritten commented 11 years ago

I'm not 100% sure I understand what I need to do here.

I need to configure the ipa_syncsync plugin with a higher precedence. Is that done with nsslapd-pluginPrecedence in cn=config or somewhere else?

If I the DS winsync plugin runs first and I find that the posix attributes aren't set, do I need to do anything? I would assume that if the DS winsync plugin failed to add posix, what chance do I have?

dpal commented 11 years ago

AFAIU the ipa plugin is run after the DS plugin so IPA plugin should just accept the values that are passed from the DS to it instead of generating new ones. Something like this. Please check with Rich.

rmeggins commented 11 years ago

Replying to [comment:2 rcritten]:

I'm not 100% sure I understand what I need to do here.

I need to configure the ipa_syncsync plugin with a higher precedence. Is that done with nsslapd-pluginPrecedence in cn=config or somewhere else?

Yes, but unfortunately it's not that simple, because winsync plugins can't directly use the regular slapi plugin precedence mechanism.

make sure the ipa winsync plugin config LDIF has nsslapd-pluginPrecedence set to greater than 50
in your plugin init function, grab the nsslapd-pluginPrecedence value from the config entry and set it in some static variable somewhere
use the new winsync api v3 callback WINSYNC_PLUGIN_PRECEDENCE_CB to return this saved precedence value

If I the DS winsync plugin runs first and I find that the posix attributes aren't set, do I need to do anything? I would assume that if the DS winsync plugin failed to add posix, what chance do I have?

The ipa winsync plugin should not have to change very much. It just needs to add any missing posix attributes. So probably the only change will be to check to see if the posix attributes are already present in the entry and skip them if so.

rcritten commented 11 years ago

I just wonder what cases would the winsync plugin not add posix attributes that the IPA plugin would need to. Is it safe to assume that I just need to make sure we're called last?

I guess how hard to we want to support POSIX attrs from Windows in IPA? We have a ticket for that, #2133, deferred.

rmeggins commented 11 years ago

Replying to [comment:6 rcritten]:

I just wonder what cases would the winsync plugin not add posix attributes that the IPA plugin would need to.

For example, if there are no POSIX attributes in Windows, then IPA would need to add them just as it does now. The POSIX schema support in AD is optional and some sites may not use it at all.