[Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin
Sumit Bose
sbose at redhat.com
Fri Mar 23 16:29:57 UTC 2012
On Fri, Mar 23, 2012 at 12:08:22PM -0400, Dmitri Pal wrote:
> On 03/23/2012 11:57 AM, Sumit Bose wrote:
> > On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote:
> >> On 03/23/2012 08:52 AM, Sumit Bose wrote:
> >>> Hi,
> >>>
> >>> these two patches introduce a new extended operation to the IPA server
> >>> which can be used by clients in the IPA domain to obtain information
> >>> about users and groups from trusted domains. Currently this exop is used
> >>> by the sssd sub-domain patch to map user names from a trusted AD domain
> >>> to a SID and back. There is also some code for other kind of requests
> >>> which might become useful in future, e.g. with trusted IPA domain.
> >> Are the mappings cached on the SSSD side?
> > Yes in the sense that the whole user entry, which is the result of the
> > mapping, is cached on the SSSD side.
> >
> And it is already done or planned, tracked?
It is in the sub-domain patches Jan send recently to sssd-devel.
bye,
Sumit
>
>
> >>> I added some unit test and added check for the check unit test framework
> >>> for C (http://check.sourceforge.net/) which is used by sssd as well. I
> >>> modified the spec file that the test is run during the build of the
> >>> packages. I hope this is ok.
> >>>
> >>> The patches depend on the idmap library patch which was ACKed recently
> >>> on sssd-devel and as mentioned before the sub-domain patches on
> >>> sssd-devel can only be fully tested with an IPA server which has these
> >>> patches applied.
> >>>
> >>> Since Alexander is currently rewriting parts of the ipa-adtrust-install
> >>> utility I stand back from adding activation code for the exop to
> >>> ipa-adtrust-install and will send a patch when Alexander's changes are
> >>> available. So currently extdom-extop-conf.ldif has to be loaded manually
> >>> after replacing $SUFFIX to activate the new exop.
> > I forgot to mention that for the time being winbind has to be started on
> > the IPA server as well. For stability reasons the exop does not try to
> > connect to the remote servers itself, but uses a local winbind instance
> > to get to data (one of the positive side effects is that the mapping is
> > cached by winbind, so that it is available to all clients in the IPA
> > domain, even if the connection to the remote server is down). The plan
> > is to replace winbind with a daemon of our own, but since winbind does
> > what we need without extra configuration this is very low priority.
> >
> > I will the add the automatic startup of winbind in the patch which
> > activated the exop. For now it has to be started manually.
> >
> > bye,
> > Sumit
> >
> >>> bye,
> >>> Sumit
> >>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-devel mailing list
> >>> Freeipa-devel at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager IPA project,
> >> Red Hat Inc.
> >>
> >>
> >> -------------------------------
> >> Looking to carve out IT costs?
> >> www.redhat.com/carveoutcosts/
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-devel mailing list
> >> Freeipa-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-devel
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list