[Freeipa-devel] [PATCH 0030] Require rid-base and secondary-rid-base options in idrange-add when trust exists
Martin Kosek
mkosek at redhat.com
Tue Jun 11 16:34:40 UTC 2013
On 06/11/2013 06:24 PM, Alexander Bokovoy wrote:
> On Tue, 11 Jun 2013, Martin Kosek wrote:
>>> This patch introduces a new command which can be used to determine if
>>> ipa-adtrust-install has been run on the system.
>>>
>>> Tests have been amended accordingly.
>>>
>>> This patch applies on top of tbabej's patches 70 & 71.
>>
>> Just 2 quick notes:
>>
>> 1) I would like the commands to be consistent with other similar commands like
>> "dns_is_enabled". This would lead to "adtrust_is_enabled".
> I agree. Ideally we could have defined is-enabled command that would
> have accepted a name and then checked if conditions were met to 'enable'
> that one, but we already have dns_is_enabled.
Right.
>
>
>> 2) Is the used ldapsearch really the best way to find out if Trust is
>> configured on a given master? Isn't a search in cn=masters,cn=ipa,... better?
>> Alexander?
> What would the search in cn=masters,cn=ipa,.. give?
>
> We can have multiple CIFS services per realm. However, only those in
> 'adtrust agents' group are the ones which are real DCs. And since
> membership in the group is not handled via framework or UI, it is clear
> indication that ipa-adtrust-install was run.
It would say if there as an appropriate service configured by
ipa-adtrust-install. In this case,
"cn=ADTRUST,cn=FQDN,cn=masters,cn=ipa,cn=etc,SUFFIX. I am asking because this
is a standard way in FreeIPA to ask for configured services.
If that does not work for Trust, then your alternative way should be OK too.
Martin
More information about the Freeipa-devel
mailing list