[Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

Sumit Bose sbose at redhat.com
Fri Mar 23 15:57:46 UTC 2012 

On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote:
> On 03/23/2012 08:52 AM, Sumit Bose wrote:
> > Hi,
> >
> > these two patches introduce a new extended operation to the IPA server
> > which can be used by clients in the IPA domain to obtain information
> > about users and groups from trusted domains. Currently this exop is used
> > by the sssd sub-domain patch to map user names from a trusted AD domain
> > to a SID and back. There is also some code for other kind of requests
> > which might become useful in future, e.g. with trusted IPA domain.
> 
> Are the mappings cached on the SSSD side?

Yes in the sense that the whole user entry, which is the result of the
mapping, is cached on the SSSD side.

> 
> > I added some unit test and added check for the check unit test framework
> > for C (http://check.sourceforge.net/) which is used by sssd as well. I
> > modified the spec file that the test is run during the build of the
> > packages. I hope this is ok.
> >
> > The patches depend on the idmap library patch which was ACKed recently
> > on sssd-devel and as mentioned before the sub-domain patches on
> > sssd-devel can only be fully tested with an IPA server which has these
> > patches applied.
> >
> > Since Alexander is currently rewriting parts of the ipa-adtrust-install
> > utility I stand back from adding activation code for the exop to
> > ipa-adtrust-install and will send a patch when Alexander's changes are
> > available. So currently extdom-extop-conf.ldif has to be loaded manually
> > after replacing $SUFFIX to activate the new exop.

I forgot to mention that for the time being winbind has to be started on
the IPA server as well. For stability reasons the exop does not try to
connect to the remote servers itself, but uses a local winbind instance
to get to data (one of the positive side effects is that the mapping is
cached by winbind, so that it is available to all clients in the IPA
domain, even if the connection to the remote server is down). The plan
is to replace winbind with a daemon of our own, but since winbind does
what we need without extra configuration this is very low priority.

I will the add the automatic startup of winbind in the patch which
activated the exop. For now it has to be started manually.

bye,
Sumit

> >
> > bye,
> > Sumit
> >
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 

> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list