Project

General

Profile

Actions

User story #2213

closed

PT distributePolicy: LDAP password synchronization

Added by Matthieu CERDA almost 13 years ago. Updated almost 10 years ago.

Status:
Released
Priority:
2
Assignee:
Matthieu CERDA
Category:
Techniques
Target version:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

PT distributePolicy: LDAP password synchronization


Related issues 1 (0 open1 closed)

Blocked by Rudder - User story #856: Make promises in order to assure that Rudder services are still runningReleasedMatthieu CERDA2011-02-16Actions
Actions #1

Updated by Matthieu CERDA almost 13 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 0 to 100

Applied in changeset commit:dfbc43eb61e2af8cb9a1d7d99e9119a7510436cc.

Actions #2

Updated by Jonathan CLARKE almost 13 years ago

  • Status changed from Pending technical review to 2
  • % Done changed from 100 to 90
This it's looking good. Just two comments that need addressing:
  • Your use of result classes (from classes if_else and kept_if_else) is dangerous. Classes defined this way are global, but your bundle is re used, so several executions will cause interference! You should parameter the class names with something like canonify process name.
  • 644 id not a secure permission for files containing passwords. Please use 600 or 640 instead.
Actions #3

Updated by Matthieu CERDA almost 13 years ago

  • Status changed from 2 to Discussion

Well, I do not see where an interference might be possible, I am only injecting the same variables the restart bundle uses with another parameter forcing the restart, could you please describe a complete use case ?

About the permissions, I totally agree but I copied the permissions that are already in place afterthe installation. I am afraid to break Rudder with access denied/permissions errors with Apache, slapd ...

Actions #4

Updated by Jonathan CLARKE almost 13 years ago

Matthieu CERDA wrote:

Well, I do not see where an interference might be possible, I am only injecting the same variables the restart bundle uses with another parameter forcing the restart, could you please describe a complete use case ?

Sure. This is not related to variables, but to classes. In each CFEngine run, you call the generic_process_check_process bundle 4 times (once for slapd, once for jetty, etc). Each time, the bundle checks a process, and may try and restart it. It then sets one of the classes process_restart_ok or process_restart_error, which is then used for reporting in that same bundle. Classes defined as the result of a promise, like these ones (from a classes body), are global.

This means that the first time you call the bundle, for slapd, if there is an error restarting the process, the class "process_restart_error" will be defined, and reporting will say "result_error...etc...The slapd process couldn't be restarted". However, when the bundle is next called, for jetty, this class will still be defined, causing the reporting to say "result_error...etc...The jetty process couldn't be restarted", even if the jetty process is fine and other reports for it are printed. And so on...

About the permissions, I totally agree but I copied the permissions that are already in place afterthe installation. I am afraid to break Rudder with access denied/permissions errors with Apache, slapd ...

I understand. But if this is the case, it should be considered a bug! Now is the time to find out, while 2.4 is still in alpha stage. Please test with 600.

Actions #5

Updated by Matthieu CERDA almost 13 years ago

  • Estimated time set to 0.75 h
Actions #6

Updated by Matthieu CERDA almost 13 years ago

About the permissions, please see #2211, I proposed a solution.

About the restart classes, I'm OK with that. I will address this as soon as a compromise is found about file permissions.

Actions #7

Updated by Matthieu CERDA almost 13 years ago

  • Status changed from Discussion to Pending technical review
  • % Done changed from 90 to 100

Applied in changeset commit:a9715466d26a03faadd9f93eebbe214d6b2286a8.

Actions #8

Updated by Jonathan CLARKE almost 13 years ago

  • Status changed from Pending technical review to 10

This looks great.

Actions #9

Updated by Jonathan CLARKE almost 13 years ago

  • Status changed from 10 to Released
Actions #10

Updated by Benoît PECCATTE almost 10 years ago

  • Project changed from 24 to Rudder
  • Category changed from Policy Templates to Techniques
Actions

Also available in: Atom PDF