[Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter
Martin Babinsky
mbabinsk at redhat.com
Wed Jun 15 07:02:00 UTC 2016
On 06/14/2016 04:45 PM, Alexander Bokovoy wrote:
> On Tue, 07 Jun 2016, Alexander Bokovoy wrote:
>> Hi,
>>
>> `ipa trust-find' command should only show trusted forest root domains
>>
>> The child domains should be visible via
>>
>> ipa trustdomain-find forest.root
>>
>> The difference between forest root (or external domain) and child
>> domains is that root domain gets ipaIDObject class to allow assigning a
>> POSIX ID to the object. This POSIX ID is used by Samba when an Active
>> Directory domain controller connects as forest trusted domain object.
>>
>> Child domains can only talk to IPA via forest root domain, thus they
>> don't need POSIX ID for their TDOs. This allows us a way to
>> differentiate objects for the purpose of 'trust-find' /
>> 'trustdomain-find' commands.
>>
>> Fixes https://fedorahosted.org/freeipa/ticket/5942
>>
> This patch needs review.
>
ACK.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list