[Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 11 14:46:17 UTC 2012 

On Thu, 07 Jun 2012, Sumit Bose wrote:
>On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote:
>> Hi,
>>
>> these two patches introduce a new extended operation to the IPA server
>> which can be used by clients in the IPA domain to obtain information
>> about users and groups from trusted domains. Currently this exop is used
>> by the sssd sub-domain patch to map user names from a trusted AD domain
>> to a SID and back. There is also some code for other kind of requests
>> which might become useful in future, e.g. with trusted IPA domain.
>>
>> I added some unit test and added check for the check unit test framework
>> for C (http://check.sourceforge.net/) which is used by sssd as well. I
>> modified the spec file that the test is run during the build of the
>> packages. I hope this is ok.
>>
>> The patches depend on the idmap library patch which was ACKed recently
>> on sssd-devel and as mentioned before the sub-domain patches on
>> sssd-devel can only be fully tested with an IPA server which has these
>> patches applied.
>>
>> Since Alexander is currently rewriting parts of the ipa-adtrust-install
>> utility I stand back from adding activation code for the exop to
>> ipa-adtrust-install and will send a patch when Alexander's changes are
>> available. So currently extdom-extop-conf.ldif has to be loaded manually
>> after replacing $SUFFIX to activate the new exop.
>>
>> bye,
>> Sumit
>
>Please find a rebased version of the patches which work on top of
>Alexander's latest series of patches. The patches now also contain the
>loading of extdom-extop-conf.ldif and the activation of winbind.
Thanks for the rebase.

Few comments.

1.The extdom plugin should support IDMAP_BOTH. We do provide user private
groups so in our case it should be viewed as preferred output. Thus you
would need to add new response type to cover this case.

2. I have tried to look at the plugin description from point of view of
a system administrator and I failed to understand what it does:
>+#define IPA_EXTDOM_PLUGIN_NAME   "ipa-extdom-extop"
>+#define IPA_EXTDOM_FEATURE_DESC  "IPA EXTDOM ID mapper"
>+#define IPA_EXTDOM_PLUGIN_DESC   "IPA EXTDOM ID mapper Extended Operation plugin"

In the ipa-extdom-extop-conf.ldif you have following description: 
>+nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back
Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC?

This is a minor point but EXTDOM itself is vague. Maybe we should be more clear
and call it 'IPA trusted domain ID mapper' as it really limits itself to
only trusted domains? We don't dispatch winbind request if the domain is
not found in our list of trusted domains.

3. Could you please define the oid in ipa_extdom.h so that it could be
useful for client code as well?
>+#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4"

4. Do we have 'check' tool in RHEL6?
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list