[Freeipa-devel] [Testplan] Support of UPN for trusted domains

Lenka Doudova ldoudova at redhat.com
Mon Jul 11 07:44:46 UTC 2016 


On 07/07/2016 11:13 AM, Sumit Bose wrote:
> On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote:
>> On Fri, 27 May 2016, Sumit Bose wrote:
>>> On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote:
>>>> Hi all,
>>>>
>>>>
>>>> here [1] is a draft of test plan for V4 RFE Support of UPN for trusted
>>>> domains.
>>>>
>>>> Please review this and let me know if there's something missing or wrong.
>>> Hi Lenka,
>>>
>>> thank you for the test plan.
>>>
>>> About the TBD, Alexander and I agreed to store the alternative domain
>>> suffixes read from AD in a new attribute in the LDAP object of the
>>> forest root of the trusted domain.
>>>
>>> About the kinit tests. Please note that it is expected that the -E
>>> option of kinit must be used when alternative suffixes are used.
>>>
>>> I'm not sure if SSSD tests are in the scope here as well. If they are I
>>> would suggest to add authentication tests with SSSD where e.g. the name
>>> with an alternative domain suffix is used as login name. This in general
>>> already works with SSSD but is disabled by default for IPA because of
>>> the missing server-side support so far. Since SSSD must be able to work
>>> with old and new IPA server https://fedorahosted.org/sssd/ticket/3018
>>> was created so that SSSD can detect at runtime if the server supports
>>> this or not.
>> Right, I think we should make sure SSSD is tested against IPA UPN
>> support because otherwise we might get regressions.
> Hi Lenka,
>
> I would like to ask you to add test where 'kinit -E' is used with an IPA
> user as well to avoid regression, because currently 'kinit -E
> ipauser at IPA.DOMAIN' does not work.
>
> Please note that the full principal must be used with kinit in this case
> because when just using
>
>      kinit -E ipauser
>
> kinit is smart enough to see that it makes no sense to add the
> default_realm twice and internally just does 'kinit ipauser at IPA.DOMAIN'.
>
> If you think this test is better suited in a different test plan please
> let me know, then I'll ask there.
>
> bye,
> Sumit
Hi Sumit,

this test should be covered in basic trust test suite, but I think it's 
not in the code of the test (I was busy with providing coverage for new 
features and didn't manage to go through old coverage). I'll check this 
and update ASAP.

Thanks for catching it!
Lenka

>>
>> -- 
>> / Alexander Bokovoy

More information about the Freeipa-devel mailing list