[Freeipa-devel] [PATCH 0030] Require rid-base and secondary-rid-base options in idrange-add when trust exists
Martin Kosek
mkosek at redhat.com
Tue Jun 11 16:03:38 UTC 2013
On 06/11/2013 04:09 PM, Ana Krivokapic wrote:
> On 06/06/2013 04:04 PM, Tomas Babej wrote:
>> On 05/31/2013 07:35 PM, Ana Krivokapic wrote:
>>> On 05/28/2013 04:49 PM, Ana Krivokapic wrote:
>>>> Hello,
>>>>
>>>> This patch addresses https://fedorahosted.org/freeipa/ticket/3634
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>> This updated patch applies on top of tbabej's patches 0053-0055.
>>>
>>> As suggested by Tomáš
>>> (https://www.redhat.com/archives/freeipa-devel/2013-May/msg00352.html), I
>>> refactored support of "mock" LDAP objects to tests/util, and modified
>>> test_range_plugin and test_cli to use it.
>>> --
>>> Regards,
>>>
>>> Ana Krivokapic
>>> Associate Software Engineer
>>> FreeIPA team
>>> Red Hat Inc.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> I looked thoroughly at the issue here..
>>
>> The ticket is a little bit confusing about that, but you need to require
>> primary/secondary rid base for the range after ipa-adtrust-install has been run.
>>
>> Currently, the way your patch works, the bases are required only if at least
>> one trust exists.
>>
>> [root at vm-002 labtool]# ipa-adtrust-install
>>
>> The log file for this installation can be found in /var/log/ipaserver-install.log
>> [snip]
>> Setup complete
>> [snip]
>>
>> [root at vm-002 labtool]# ipa idrange-add local
>> First Posix ID of the range: 10
>> Number of IDs in the range: 20
>> ----------------------
>> Added ID range "local"
>> ----------------------
>> Range name: local
>> First Posix ID of the range: 10
>> Number of IDs in the range: 20
>> Range type: local domain range
>>
>> After adding the trust, everything works ok:
>>
>> [root at vm-002 labtool]# ipa trust-find
>> ---------------
>> 1 trust matched
>> ---------------
>> Realm name: test
>> Domain NetBIOS name: TEST
>> Domain Security Identifier: S-1-5-21-259319770-2312917334-591429603
>> Trust type: Active Directory domain
>>
>> [root at vm-002 labtool]# ipa idrange-add local
>> First Posix ID of the range: 10
>> Number of IDs in the range: 10
>> First RID of the corresponding RID range: 10
>> First RID of the secondary RID range: 20
>> ----------------------
>> Added ID range "local"
>> ----------------------
>> Range name: local
>> First Posix ID of the range: 10
>> Number of IDs in the range: 10
>> First RID of the corresponding RID range: 10
>> First RID of the secondary RID range: 20
>> Range type: local domain range
>>
>> We should require for primary/secondary rid base after ipa-adtrust-install
>> has been run even if no trust is established.
>>
>> Tomas
>
> This patch introduces a new command which can be used to determine if
> ipa-adtrust-install has been run on the system.
>
> Tests have been amended accordingly.
>
> This patch applies on top of tbabej's patches 70 & 71.
Just 2 quick notes:
1) I would like the commands to be consistent with other similar commands like
"dns_is_enabled". This would lead to "adtrust_is_enabled".
2) Is the used ldapsearch really the best way to find out if Trust is
configured on a given master? Isn't a search in cn=masters,cn=ipa,... better?
Alexander?
Martin
More information about the Freeipa-devel
mailing list