[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod
Petr Vobornik
pvoborni at redhat.com
Tue Feb 12 17:58:49 UTC 2013
On 02/04/2013 05:23 PM, Tomas Babej wrote:
> Hi,
>
> When adding/modifying an ID range for a trusted domain, the newly
> added option --dom-name can be used. This looks up SID of the
> trusted domain in LDAP and therefore the user is not required
> to write it down in CLI. If the lookup fails, error message
> asking the user to specify the SID manually is shown.
>
> https://fedorahosted.org/freeipa/ticket/3133
>
> Tomas
>
>
Just wondering: How bad would it be to not introduce new virtual
attribute and just use the ipanttrusteddomainsid. On add and mod (when
ipanttrusteddomainsid is set) we would check if ipanttrusteddomainsid is
SID. If not, it would be treated as domain name and
get_trusted_domain_sid_from_name method will be used to get the SID.
I'm asking because I don't really like virtual and standard attributes
for the same ldap attribute in a mod command. In WEB UI details page we
have to display only one field - ipanttrusteddomainsid.
So we are left with options:
1) do not use this feature for mod operations in Web UI
2) enter domain name in ipanttrusteddomainsid field, implement the
aforementioned check in Web UI and fill the correct option in RPC request
3) add special action into action list which will open new dialog,
user will enter domain name, mod command with ipanttrusteddomainname set
will be executed on confirmation
4) some other method
I don't really like any of the options. If a SID check is an easy
operation, we can go with #2, but I would still rather see this logic in
server plugin.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list