[Freeipa-devel] [Testplan] Support of UPN for trusted domains

Sumit Bose sbose at redhat.com
Mon Jul 11 07:56:29 UTC 2016 

On Mon, Jul 11, 2016 at 09:44:46AM +0200, Lenka Doudova wrote:
> 
> 
> On 07/07/2016 11:13 AM, Sumit Bose wrote:
> > On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote:
> > > On Fri, 27 May 2016, Sumit Bose wrote:
> > > > On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote:
> > > > > Hi all,
> > > > > 
> > > > > 
> > > > > here [1] is a draft of test plan for V4 RFE Support of UPN for trusted
> > > > > domains.
> > > > > 
> > > > > Please review this and let me know if there's something missing or wrong.
> > > > Hi Lenka,
> > > > 
> > > > thank you for the test plan.
> > > > 
> > > > About the TBD, Alexander and I agreed to store the alternative domain
> > > > suffixes read from AD in a new attribute in the LDAP object of the
> > > > forest root of the trusted domain.
> > > > 
> > > > About the kinit tests. Please note that it is expected that the -E
> > > > option of kinit must be used when alternative suffixes are used.
> > > > 
> > > > I'm not sure if SSSD tests are in the scope here as well. If they are I
> > > > would suggest to add authentication tests with SSSD where e.g. the name
> > > > with an alternative domain suffix is used as login name. This in general
> > > > already works with SSSD but is disabled by default for IPA because of
> > > > the missing server-side support so far. Since SSSD must be able to work
> > > > with old and new IPA server https://fedorahosted.org/sssd/ticket/3018
> > > > was created so that SSSD can detect at runtime if the server supports
> > > > this or not.
> > > Right, I think we should make sure SSSD is tested against IPA UPN
> > > support because otherwise we might get regressions.
> > Hi Lenka,
> > 
> > I would like to ask you to add test where 'kinit -E' is used with an IPA
> > user as well to avoid regression, because currently 'kinit -E
> > ipauser at IPA.DOMAIN' does not work.
> > 
> > Please note that the full principal must be used with kinit in this case
> > because when just using
> > 
> >      kinit -E ipauser
> > 
> > kinit is smart enough to see that it makes no sense to add the
> > default_realm twice and internally just does 'kinit ipauser at IPA.DOMAIN'.
> > 
> > If you think this test is better suited in a different test plan please
> > let me know, then I'll ask there.
> > 
> > bye,
> > Sumit
> Hi Sumit,
> 
> this test should be covered in basic trust test suite, but I think it's not
> in the code of the test (I was busy with providing coverage for new features
> and didn't manage to go through old coverage). I'll check this and update
> ASAP.
> 
> Thanks for catching it!

Thank you for taking care of it.

bye,
Sumit

> Lenka
> 
> > > 
> > > -- 
> > > / Alexander Bokovoy
>

More information about the Freeipa-devel mailing list