[Freeipa-devel] DESIGN: Recover DNA Ranges

Sumit Bose sbose at redhat.com
Wed Feb 27 20:17:49 UTC 2013 

On Wed, Feb 27, 2013 at 03:00:10PM -0500, Rob Crittenden wrote:
> Sumit Bose wrote:
> >On Wed, Feb 27, 2013 at 02:03:24PM -0500, Rob Crittenden wrote:
> >>Sumit Bose wrote:
> >>>But it looks like dnarange-set and dnanextrange-set can also be used to
> >>>not only move existing DNA ranges but to create new DNA ranges which
> >>>will lead to ID which are not in the idrange of the IPA domain but might
> >>>be in an idrange which is used by a trusted domain. So I think a check
> >>>and a warning are desirable.
> >>
> >>That is an excellent point. I've updated the design.
> >
> >Thank you. I would like to suggest a slight edit. Instead of
> >
> >"That doesn't remove our responsibility to not test for overlaps in the
> >idranges though. We will need to verify that the manual configuration
> >changes do not overlap with all ranges in cn=ranges,cn=etc,$SUFFIX."
> >
> >I would say
> >
> >"That doesn't remove our responsibility to not test for overlaps in the
> >idranges though. We will need to verify that the manual configuration
> >changes do
> >* not overlap with ranges from trusted domains
> >   (objectclass=ipatrustedaddomainrange) in cn=ranges,cn=etc,$SUFFIX, or
> >   reject the change otherwise.
> >* overlap completely with ranges from the local IPA domain
> >   (objectclass=ipaDomainIDRange) in cn=ranges,cn=etc,$SUFFIX, or give a
> >   warning otherwise which asks the user to add a new suitable idrange."
> >
> >Codewise the logic could be:
> >- check if the new range is a subset of a local idrange, if yes, all is
> >   fine
> >- if not, check if it overlaps with an idrange of a trusted domain, if
> >   yes, reject
> >- if not, give a warning and ask to add a new idrange for the local
> >   domain
> 
> I took this almost verbatim but I'm more harsh. If the range is
> outside the local range and not overlapping anything I will still
> reject it. If we're going to go through the trouble of keeping them
> in sync we should be consistent.

even better, thank you.

bye,
Sumit

> 
> thanks
> 
> rob
>

More information about the Freeipa-devel mailing list