[Freeipa-devel] [PATCH 0325] Add Domain Level feature
Ludwig Krispenz
lkrispen at redhat.com
Fri May 15 08:17:30 UTC 2015
On 05/15/2015 09:22 AM, Ludwig Krispenz wrote:
>
> On 05/14/2015 11:48 AM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
>>> Hi,
>>>
>>> this patch implements the domain level feature.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5018
>>>
>>> Tomas
>>
>> 1)
>>
>> +# Create entry proclaiming Domain Level support of this master
>> +# This will update the supported Domain Levels during upgrade
>> +dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
>> +default: objectClass: top
>> +default: objectClass: nsContainer
>> +default: objectClass: ipaConfigObject
>> +default: objectClass: ipaSupportedDomainLevelConfig
>> +only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
>> +only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
>>
>> The design states that supported domain levels should be stored
>> directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree
>> with that - there is no reason to have this information in a separate
>> entry.
> yes, the design states that the domainlevel supported by a server
> should be stored in the cn=fqdn entry,
>
> but this is only informational, saying what level a server could
> handle and the selected level used has to be set and stored and the
> design doc says this has to be in:
>
> "Selected Domain level shall be stored in cn=DomainLevel,cn=etc,SUFFIX"
>
> Tomas,
> I don't see the handling of the global doamin level entry
ok, it is there, you called it "cn= Domain Level" (with space), I used
"cn=DomainLevel" - so wouldn't find it, we need to agree an a naming or
a way to detect the entry
I will probably change to search for "objectclass=ipaDomainLevelConfig"
>
> Ludwig
>>
>>
>> 2) I though we agreed to call the command domainlevel-set instead of
>> domainlevel-raise:
>> <https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html>.
>>
>>
>> 3) Domain level is just a single integer and it should be treated as
>> such, there's no need for an LDAPObject plugin and other unnecessary
>> complexities. The implemetation could be as simple as (from top of my
>> head, untested):
>>
>> domainlevel_output = (
>> output.Output('result', int)
>> )
>>
>> @register()
>> class domainlevel-get(Command):
>> has_output = domainlevel_output
>>
>> def execute(self, *args, **options):
>> ldap = self.api.Backend.ldap2
>>
>> dn = ...
>> entry = ldap.get_entry(dn, ['ipaDomainLevel'])
>>
>> return {'result': entry.single_value['ipaDomainLevel']}
>>
>> @register()
>> class domainlevel-set(Command):
>> has_output = domainlevel_output
>>
>> takes_args = (
>> Int('value'),
>> )
>>
>> def execute(self, *args, **options):
>> ldap = self.api.Backend.ldap2
>>
>> value = args[0]
>> ... validate value ...
>>
>> dn = ...
>> entry = ldap.get_entry(dn, ['ipaDomainLevel'])
>> entry.single_value['ipaDomainLevel'] = value
>> ldap.update_entry(entry)
>>
>> return {'result': value}
>>
>>
>> Honza
>>
>
More information about the Freeipa-devel
mailing list