[Freeipa-devel] [PATCH] 767-770 webui: hide applied to hosts tab for Default Trust View
Alexander Bokovoy
abokovoy at redhat.com
Mon Oct 20 10:51:49 UTC 2014
On Mon, 20 Oct 2014, Tomas Babej wrote:
>> What about filtering out 'Default Trust View' if no trusts are in place?
>> This would be a bit problematic for the case when you had trusts and
>> deleted them and currently have none of them but overrides are in place,
>> but at least it would be consistent -- you don't see default view and
>> you are not able to add there anything.
>>
>> However, it raises another question: if no trusts exist right now but
>> there are some AD user overrides in any view, how would we display them?
>> We cannot resolve SIDs to names at this point so overrides will look
>> ugly anyway. We can use ipaOriginalUid for users but we don't have
>> anything like that for groups.
>
>I think we should fail in the trust-del if there are any overrides tied
>to this particular trust, unless --forced (which should be used only for
>recreation of the trust).
I'd love to see a mass-removal tool per trusted domain then. Also,
removing trust does not mean overrides become invalid, only that they
become not editable or visible. They will not be enforced because trust
is not in place anyway.
>Currently, we rely on resolving the user/group name to do any operation
>on the ID override, so having the trust removed, you'd have to use LDAP
>directly to remove the entries.
It should be fine to remove the trust, just that our code should be able
to deal with domain SIDs for mass removal of ID overrides.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list