[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 13 12:01:37 UTC 2014
On Thu, 13 Mar 2014, Martin Kosek wrote:
>On 03/13/2014 12:45 PM, Tomas Babej wrote:
>> Hi,
>>
>> Changes the code in the idrange_del method to not only check for
>> the root domains that match the SID in the IDRange, but for the
>> SIDs of subdomains of trusts as well.
>>
>> https://fedorahosted.org/freeipa/ticket/4247
>
>This is a very complicated validation procedure IMO. Lot of subcommands, lot of
>LDAP searches.
>
>Why can't we do just one LDAP search with
>- base api.env.container_trusts
>- scope SUB
>- filter (&(objectclass=ipaNTTrustedDomain)(ipanttrusteddomainsid=range_sid))
>
>When errors.NotFound is raised, we are OK. When it is not raised, we have a
>problem.
>
>Wouldn't it be simpler?
No. Please do not do optimization here. It is a code that is called very
rarely and expressiveness is more important here than optimizing access
to couple of entries in LDAP.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list