[Freeipa-devel] [PATCH 0325] Add Domain Level feature
Jan Cholasta
jcholast at redhat.com
Fri May 22 05:08:55 UTC 2015
Dne 21.5.2015 v 18:18 Tomas Babej napsal(a):
>
>
> On 05/19/2015 04:07 PM, Tomas Babej wrote:
>>
>>
>> On 05/19/2015 03:59 PM, Martin Kosek wrote:
>>> On 05/19/2015 03:56 PM, Tomas Babej wrote:
>>>>
>>>> On 05/19/2015 03:51 PM, Martin Kosek wrote:
>>>>> On 05/19/2015 03:49 PM, Ludwig Krispenz wrote:
>>>>>> On 05/19/2015 03:36 PM, Martin Kosek wrote:
>>>>>>> On 05/19/2015 03:22 PM, Tomas Babej wrote:
>>>>>>> ...
>>>>>>>>> 3) Domain level is just a single integer and it should be
>>>>>>>>> treated as such,
>>>>>>>>> there's no need for an LDAPObject plugin and other unnecessary
>>>>>>>>> complexities.
>>>>>>>>> The implemetation could be as simple as (from top of my head,
>>>>>>>>> untested):
>>>>>>>> That's right, I also considered this approach, but as far as I
>>>>>>>> know you do
>>>>>>>> not
>>>>>>>> get the permission handling for the global DomainLevel entry
>>>>>>>> otherwise.
>>>>>>>>
>>>>>>>> Ludwig, I changed the path for the global entry to cn=DomainLevel.
>>>>>>> I know this particular DN was added to the design by Simo, but
>>>>>>> why do we want
>>>>>>> to use CamelCase with LDAP object?
>>>>>>>
>>>>>>> Wouldn't "cn=Domain Level,cn=ipa,cn=etc,SUFFIX" be a better place
>>>>>>> for it? This
>>>>>>> is the last time we can change it, so I am asking now. Then, we
>>>>>>> will be stuck
>>>>>>> with this DN forever.
>>>>>> I don't mind using ""cn=Domain Level" ,
>>>>>>
>>>>>> but where does the entry live, here you say
>>>>>>
>>>>>> cn=Domain Level,cn=ipa,cn=etc,SUFFIX"
>>>>>>
>>>>>> and in the design page it is:
>>>>>>
>>>>>> cn=DomainLevel,cn=etc,SUFFIX
>>>>>>
>>>>>> The current version of the topology plugin is looking for
>>>>>>
>>>>>> cn=DomainLevel,cn=ipa,cn=etc,SUFFIX"
>>>>>> but I want to change it to do a search on
>>>>>> objectclass=ipaDomainLevelConfig
>>>>> I see - we all need to unify the location apparently. I updated the
>>>>> design page
>>>>> to use "cn=Domain Level,cn=ipa,cn=etc,SUFFIX". Tomas, please send
>>>>> the updated
>>>>> patch set, it should be an extremely simple change :-)
>>>> I prefer the ipa parent and the space in the name, so I'm glad we
>>>> could agree
>>>> on this without much bikeshedding.
>>>>
>>>> Updated patch attaced.
>>>>
>>>> Tomas
>>>>
>>>>
>>> I still see
>>>
>>> +# Create default Domain Level entry if it does not exist
>>> +dn: cn=DomainLevel,cn=ipa,cn=etc,$SUFFIX
>>> +default: objectClass: top
>>> +default: objectClass: nsContainer
>>> +default: objectClass: ipaDomainLevelConfig
>>> +default: ipaDomainLevel: 0
>>>
>>> ...
>>
>> Right, the space eluded me there, thanks for the catch.
>>
>> Tomas
>
> A new iteration of the patch, including the server-side checks for the
> installers.
>
> Tomas
1) https://www.redhat.com/archives/freeipa-devel/2015-May/msg00228.html
- I still don't agree that the plugin should be based on LDAPObject.
2) Use api domainlevel-show call to get the current domain level in
ipa-replica-install instead of duplicating the code.
3) Set the domain level in DSInstance.create_instance instead of a
separate call in ipa-server-install. It should be done about the same
time as the master entry is added.
4) I think the option should be named --domain-level (with a dash), for
consistency.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list