[Freeipa-devel] [PATCH 0325] Add Domain Level feature

Ludwig Krispenz lkrispen at redhat.com
Fri May 15 08:17:30 UTC 2015 

On 05/15/2015 09:22 AM, Ludwig Krispenz wrote:
>
> On 05/14/2015 11:48 AM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
>>> Hi,
>>>
>>> this patch implements the domain level feature.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5018
>>>
>>> Tomas
>>
>> 1)
>>
>> +# Create entry proclaiming Domain Level support of this master
>> +# This will update the supported Domain Levels during upgrade
>> +dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
>> +default: objectClass: top
>> +default: objectClass: nsContainer
>> +default: objectClass: ipaConfigObject
>> +default: objectClass: ipaSupportedDomainLevelConfig
>> +only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
>> +only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
>>
>> The design states that supported domain levels should be stored 
>> directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree 
>> with that - there is no reason to have this information in a separate 
>> entry.
> yes, the design states that the domainlevel supported by a server 
> should be stored in the cn=fqdn entry,
>
> but this is only informational, saying what level a server could 
> handle  and the selected level used has to be set and stored and the 
> design doc says this has to be in:
>
> "Selected Domain level shall be stored in cn=DomainLevel,cn=etc,SUFFIX"
>
> Tomas,
> I don't see the handling of the global doamin level entry
ok, it is there, you called it "cn= Domain Level" (with space), I used 
"cn=DomainLevel" - so wouldn't find it, we need to agree an a naming or 
a way to detect the entry
I will probably change to search for "objectclass=ipaDomainLevelConfig"
>
> Ludwig
>>
>>
>> 2) I though we agreed to call the command domainlevel-set instead of 
>> domainlevel-raise: 
>> <https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html>.
>>
>>
>> 3) Domain level is just a single integer and it should be treated as 
>> such, there's no need for an LDAPObject plugin and other unnecessary 
>> complexities. The implemetation could be as simple as (from top of my 
>> head, untested):
>>
>>     domainlevel_output = (
>>         output.Output('result', int)
>>     )
>>
>>     @register()
>>     class domainlevel-get(Command):
>>         has_output = domainlevel_output
>>
>>         def execute(self, *args, **options):
>>             ldap = self.api.Backend.ldap2
>>
>>             dn = ...
>>             entry = ldap.get_entry(dn, ['ipaDomainLevel'])
>>
>>             return {'result': entry.single_value['ipaDomainLevel']}
>>
>>     @register()
>>     class domainlevel-set(Command):
>>         has_output = domainlevel_output
>>
>>         takes_args = (
>>             Int('value'),
>>         )
>>
>>         def execute(self, *args, **options):
>>             ldap = self.api.Backend.ldap2
>>
>>             value = args[0]
>>             ... validate value ...
>>
>>             dn = ...
>>             entry = ldap.get_entry(dn, ['ipaDomainLevel'])
>>             entry.single_value['ipaDomainLevel'] = value
>>             ldap.update_entry(entry)
>>
>>             return {'result': value}
>>
>>
>> Honza
>>
>

More information about the Freeipa-devel mailing list