[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Martin Kosek
mkosek at redhat.com
Thu Mar 13 12:06:12 UTC 2014
On 03/13/2014 01:01 PM, Alexander Bokovoy wrote:
> On Thu, 13 Mar 2014, Martin Kosek wrote:
>> On 03/13/2014 12:45 PM, Tomas Babej wrote:
>>> Hi,
>>>
>>> Changes the code in the idrange_del method to not only check for
>>> the root domains that match the SID in the IDRange, but for the
>>> SIDs of subdomains of trusts as well.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4247
>>
>> This is a very complicated validation procedure IMO. Lot of subcommands, lot of
>> LDAP searches.
>>
>> Why can't we do just one LDAP search with
>> - base api.env.container_trusts
>> - scope SUB
>> - filter (&(objectclass=ipaNTTrustedDomain)(ipanttrusteddomainsid=range_sid))
>>
>> When errors.NotFound is raised, we are OK. When it is not raised, we have a
>> problem.
>>
>> Wouldn't it be simpler?
>
> No. Please do not do optimization here. It is a code that is called very
> rarely and expressiveness is more important here than optimizing access
> to couple of entries in LDAP.
>
I am not optimizing - I am actually making the validation much simpler. What is
more simple and straightforward?
A) One ldap.find_entries call
B) A loop, numerous subcommands and LDAP searches
Martin
More information about the Freeipa-devel
mailing list