[Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal
Simo Sorce
simo at redhat.com
Tue Jul 23 14:31:58 UTC 2013
On Tue, 2013-07-23 at 16:11 +0300, Alexander Bokovoy wrote:
> On Tue, 23 Jul 2013, Simo Sorce wrote:
> >On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote:
> >> Hi!
> >>
> >> Attached patches make possible to use HTTP/ipa.server at REALM to query AD
> >> DC over LDAP immediately after trust is established. We need this to get
> >> range discovery working prior to creating range for trusted domain.
> >>
> >> The patch 0109 makes KDC hostname cached on ipadb context to avoid
> >> resolving own hostname multiple times.
> >>
> >> The patch 0110 depends on ulc_casemap patches by Nathaniel and makes
> >> exception for HTTP/ipa.server at REALM when TGT is requested and MS-PAC is
> >> asked for -- we force refreshing list of trusted domains here.
> >>
> >> More details are available in the commit logs.
> >
> >I do not think that changing reinit interval is the right thing to do.
> >
> >I would rather pass a boolean that tells reinit to check if we have any
> >trust info, and if not unconditionally try to reinit immediately.
> >
> >I see that you treat the interval sort of like a boolean but then you
> >just race hoping the previous reload w/o trust info happened more than 1
> >second earlier.
> >
> >I think and explicit "bool force_reload" flag would be much clearer.
> >
> >Otherwise ack.
> Attached is modified patch that uses 'bool force_reinit' (as function is
> called ipadb_reinit_mspac).
>
> I tested it together with updated Tomas patch 0076 which relies on these
> patches so I'm going to commit whole set together.
LGTM, please proceed.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list