[Freeipa-devel] [PATCH] External group membership for trusted domains
Alexander Bokovoy
abokovoy at redhat.com
Mon Jun 25 12:11:18 UTC 2012
On Mon, 25 Jun 2012, Sumit Bose wrote:
>Hi Alexander,
>
>On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote:
>> Hi!
>>
>> Attached is the patch to support external group membership for trusted
>> domains. This is needed to get proper group membership with the work
>> Sumit and Jan are doing on both IPA and SSSD sides.
>>
>> We already have ipaExternalGroup class that includes ipaExternalMember
>> attribute (multivalued case-insensitive string). The group that has
>> ipaExternalGroup object class will have to be non-POSIX and
>> ipaExternalMember
>> attribute will contain security identifiers (SIDs) of members from
>> trusted domains.
>>
>> The patch takes care of three things:
>> 1. Extends 'ipa group-add' with --external option to add
>> ipaExternalGroup object class to a new group
>> 2. Modifies 'ipa group-add-member' to accept --external CSV argument
>> to specify SIDs
>> 3. Modifies 'ipa group-del-member' to allow removing external members.
>
>thank you for the patch, it works as expected, but I have a few
>comments:
>
>- there is a trailing whitespace at the end of the "This means we can't
> check the correctness of a trusted domain SIDs" line
Will fix.
>- when using ipa group-add-member with --external there are still prompt
> for [member user] and [member group], can those be suppressed?
No, because you can add all of them to the group at the same time. An
example in the ticket showed that it is supported configuration.
>- with ipa group-mod --posix it is possible to add the posxiGroup
> objectclass together with a GID to the extern group object. This
> should result in an error and also the other way round, adding
> --external to Posix groups.
Will add that, thanks.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list