[Freeipa-devel] [PATCH 0090] show optionally configured components in server-find/show command output
Petr Spacek
pspacek at redhat.com
Thu Oct 22 14:35:33 UTC 2015
On 22.10.2015 16:13, Martin Basti wrote:
> On 22.10.2015 10:44, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/5181
>>
>>
>>
>
> Thank you for the patch.
>
> 1)
> +OPTIONAL_SERVICES = {
> + 'DNS',
> + 'CA',
> + 'KRA',
> + 'ADTRUST',
> + 'EXTID',
> + 'DNSKeyExporter',
> + 'DNSSEC',
> + 'DNSKeySync',
> +}
>
> This did not scale well, maybe we should improve it to use some general
> solution for whole IPA to distinct mandratory and optionl service, but I do
> not know how (or if it is possible)
Personally I would not create 'generic' solution until necessary. We have too
much 'generic' code which was never tested outside the single use-case we
have. Let's generalize it when needed.
> 2)
> + search_filter=('(&(objectclass=ipaConfigObject)'
> + '(ipaConfigString=enabledService))')
>
> Common user cannot read ipaConfigString, so this will work only for admins, I
> do not see any limitations of access in code for other users.
I think that this is okay. The user will see exactly what LDAP ACI allows him
to see, i.e. nothing. We do the same with DNS, for example.
4) Could you extend ipa server-find with an option to search for servers with
a particular optional service? I think that it would be handy to do something like
$ ipa server-find --service=CA
to see list of CA servers.
Thank you!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list