[Freeipa-devel] WIP: ipa trust command
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 12 20:27:48 UTC 2011
On Mon, 12 Dec 2011, Sumit Bose wrote:
> > --password <Value> [type-specific parameters]
> >
> > Creates a trust between FreeIPA realm and another realm of selected
> > type. Only 'ads' type is currently supported.
> >
> > For 'ads' type running `ipa trust-add' would be equivalent to
> > following sequence:
> > * ipa-adtrust-install
> > * net rpc trust create
>
> As Simo already mentioned theses should be two separate step and `ipa
> trust-add' should just check is the needed components to create AD
> trusts are already installed on the IPA server.
See my answer to Simo, I think we can substantially improve this
situation.
> Additionally I think we need some commands to define a UID range for the
> trusted domains, especially for AD trusts. For the domain given with the
> `ipa trust-add' command we could just use another command line option.
> But if this domain already has trusts to other domains it will become
> difficult to handle this with options to `ipa trust-add'. So I would
> suggest to add a new command to the `ipa trust' family which can set UID
> ranges for domains before the trust is created. If the trust is already
> created we may still allow to change the range but with a strong warning
> that existing UIDs and GIDs will change.
Ok, this would qualify for ipa trust-add options for UID/GID ranges
and would also warrant addition of ipa trust-mod that Rob has proposed.
What else except UID/GID ranges could be modified?
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list