[Freeipa-devel] [PATCH 0090] show optionally configured components in server-find/show command output
Martin Babinsky
mbabinsk at redhat.com
Fri Oct 23 07:33:46 UTC 2015
On 10/22/2015 04:35 PM, Petr Spacek wrote:
> On 22.10.2015 16:13, Martin Basti wrote:
>> On 22.10.2015 10:44, Martin Babinsky wrote:
>>> https://fedorahosted.org/freeipa/ticket/5181
>>>
>>>
>>>
>>
>> Thank you for the patch.
>>
>> 1)
>> +OPTIONAL_SERVICES = {
>> + 'DNS',
>> + 'CA',
>> + 'KRA',
>> + 'ADTRUST',
>> + 'EXTID',
>> + 'DNSKeyExporter',
>> + 'DNSSEC',
>> + 'DNSKeySync',
>> +}
>>
>> This did not scale well, maybe we should improve it to use some general
>> solution for whole IPA to distinct mandratory and optionl service, but I do
>> not know how (or if it is possible)
>
> Personally I would not create 'generic' solution until necessary. We have too
> much 'generic' code which was never tested outside the single use-case we
> have. Let's generalize it when needed.
>
>
>> 2)
>> + search_filter=('(&(objectclass=ipaConfigObject)'
>> + '(ipaConfigString=enabledService))')
>>
>> Common user cannot read ipaConfigString, so this will work only for admins, I
>> do not see any limitations of access in code for other users.
>
> I think that this is okay. The user will see exactly what LDAP ACI allows him
> to see, i.e. nothing. We do the same with DNS, for example.
>
>
> 4) Could you extend ipa server-find with an option to search for servers with
> a particular optional service? I think that it would be handy to do something like
> $ ipa server-find --service=CA
> to see list of CA servers.
>
That would actually by a very useful functionality. I tried to play
around with the idea but it seems it would require some serious
hacking/design changes that are beyond the scope of this ticket. Feel
free to open another RFE though :).
> Thank you!
>
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list