Closed (fixed)
Project:
Lightweight Directory Access Protocol
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Reporter:
Created:
1 Jul 2011 at 16:14 UTC
Updated:
28 Jul 2011 at 19:01 UTC
Jump to comment: Most recent file
Comments
Comment #1
johnbarclay commentedThe first 2 are fine with me. The 3rd seems like overkill. This is definately a must since exportables used for automated builds.
The problem with the second option is the encryption data is also in the exportable data so it gives a false sense of security. Option 1 with a good warning message would be better to me than option 2, but either is fine.
Comment #2
justintime commentedThe problem with the second option is the encryption data is also in the exportable data so it gives a false sense of security.
The key isn't exported with the server by default. The encryption key is stored in a strongarm variable, and that's not included by default when you export a LDAP server. In my case, the key is in a separate feature from the server itself.
In the case of option 1, where would you put the warning? Just in the documentation?
I'm attaching a patch that does #2, hooray for 1-line patches :) If you'd rather go the #1 route, let me know how you want to do it, and I'll whip that up.
Comment #3
johnbarclay commentedI applied this. Its in head. Thanks.
Comment #4
justintime commentedSo, it turns out that patch doesn't work well in most situations. Usually, someone using features doesn't actually have variables set in the DB, they're set with strongarm.
Well, in the case of hook_schema(), when variable_get() is called, strongarm hasn't loaded yet -- it loads via hook_init(). So, if you manually set the variable so it's present in the db, this patch works correctly. However, in most features-based deployements, this won't be the case.
I'm attaching a patch that just makes it exportable by default.
Comment #5
johnbarclay commentedI applied the patch and pushed out to head. thanks.
Another workable approach is to actually have 2 fields: bindpw and bindpw_ecrypted and only make the second exportable. Maybe in 7.x-2.x this could be the way to go. It would also simplify some code.
Comment #6
justintime commentedI agree on the 2 fields approach - it would make things much easier.