[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 13 12:10:57 UTC 2014
On Thu, 13 Mar 2014, Martin Kosek wrote:
>On 03/13/2014 01:01 PM, Alexander Bokovoy wrote:
>> On Thu, 13 Mar 2014, Martin Kosek wrote:
>>> On 03/13/2014 12:45 PM, Tomas Babej wrote:
>>>> Hi,
>>>>
>>>> Changes the code in the idrange_del method to not only check for
>>>> the root domains that match the SID in the IDRange, but for the
>>>> SIDs of subdomains of trusts as well.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4247
>>>
>>> This is a very complicated validation procedure IMO. Lot of subcommands, lot of
>>> LDAP searches.
>>>
>>> Why can't we do just one LDAP search with
>>> - base api.env.container_trusts
>>> - scope SUB
>>> - filter (&(objectclass=ipaNTTrustedDomain)(ipanttrusteddomainsid=range_sid))
>>>
>>> When errors.NotFound is raised, we are OK. When it is not raised, we have a
>>> problem.
>>>
>>> Wouldn't it be simpler?
>>
>> No. Please do not do optimization here. It is a code that is called very
>> rarely and expressiveness is more important here than optimizing access
>> to couple of entries in LDAP.
>>
>
>I am not optimizing - I am actually making the validation much simpler. What is
>more simple and straightforward?
>
>A) One ldap.find_entries call
>B) A loop, numerous subcommands and LDAP searches
So far I've been successful in keeping details on how trust objects are
represented in LDAP hidden from the rest of the framework code by
encapsulating it all in trust.py. The change you propose will
make it leaking to idrange.py. If we start changing the structure (which
is maintained by ipasam module, not the framework), we will have more
maintenance problems with the code spread out.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list