[Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
Tomas Babej
tbabej at redhat.com
Wed Oct 22 17:39:44 UTC 2014
Hi,
thank you for the patches, comments inline.
On 10/15/2014 02:20 PM, Petr Vobornik wrote:
> ticket: https://fedorahosted.org/freeipa/ticket/4221
>
> == [PATCH] 773 ranges: prohibit setting --rid-base with
> ipa-trust-ad-posix type ==
>
> We should not allow setting --rid-base for ranges of
> ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings
> for these ranges (objects have UID/GID set in AD). Thus, setting RID
> base makes no sense.
>
> Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class,
> value '0' is allowed and used internally for 'ipa-trust-ad-posix'
> range type.
We probably don't want to display the first RID if it is 0 and the type
is ad-posix. This occurs in idrange-find:
[tbabej at vm-043 labtool]$ ipa idrange-find
----------------
2 ranges matched
----------------
Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 514800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 10000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
----------------------------
Number of entries returned 2
----------------------------
And also idrange-show:
[tbabej at vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
First Posix ID of the range: 10000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
Range type: Active Directory trust range with POSIX attributes
>
> No schema change is done.
>
> == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges ==
Looks good.
>
> == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix
> ranges ==
Can you use the paged_search=True in find_entries instead of having a
infinite loop? It would make this code quite cleaner.
>
> New updater plugin which sets baserid to 0 for ranges with type
> ipa-ad-trust-posix
>
> https://fedorahosted.org/freeipa/ticket/4221
>
> == [PATCH] 776 idrange: include raw range type in output ==
>
> iparangetype output is a localized human-readable value which is not
> suitable for machine-based API consumers
>
> Solved by new iparangetyperaw output attribute which contains
> iparangetype's raw value
>
> Note: I don't like this approach. It would be better to return just
> the raw value a do the transformation in clients. But we do have a
> precedent:
> http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html
I am not happy about it either.. I guess we could create a capability
for this, but it would probably be a overkill.
>
> == [PATCH] 777 webui: prohibit setting rid base with
> ipa-trust-ad-posix type ==
>
> Base RID is no longer editable for ipa-trust-ad-posix range type
>
> Adder dialog:
> - Range type selector was moved up because it affects a field above it
>
> Details page:
> - Only fields relevant to range's type are visible
>
>
Looks fine.
On a related note, I added a new ticket
https://fedorahosted.org/freeipa/ticket/4661
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141022/97fd3520/attachment.htm>
More information about the Freeipa-devel
mailing list