[Freeipa-devel] [PATCH] 0118 add support for subdomains

Jan Cholasta jcholast at redhat.com
Fri Sep 20 07:19:17 UTC 2013 

On 19.9.2013 21:08, Alexander Bokovoy wrote:
> Hi!
>
> Attached patch adds IPA CLI to manage trust subdomains.
>
> ipa trust-domain-fetch <trust>   -- fetch list of subdomains from AD
> side and add new ones to IPA
> ipa trust-domain-find <trust>    -- show all available subdomains ipa
> trust-domain-del <trust> <domain> -- remove subdomain from IPA view
> about <trust>
> ipa trust-domain-mod <trust> <domain> -- modify subdomain parameters
> (work in progress)
>
> IPA KDC needs also information for authentication paths to subdomains in
> case they are not hierarchical under AD forest trust root. This
> information is managed via capaths section in krb5.conf. SSSD should be
> able to generate it once ticket
> https://fedorahosted.org/sssd/ticket/2093 is resolved.
>
> part of https://fedorahosted.org/freeipa/ticket/3909
>
> The patch implements some dark magic to get around IPA framework
> limitations:
>
>   -- CLI commands belong to 'trust' family but operate on 'subdomain'
> object
>   -- 'subdomain' objects are stored under trust container, thus making
>      container_dn dependent on a particular trust:
>       cn=<subdomain>,cn=<trust>,cn=ad,cn=trusts,$SUFFIX
>
> The latter is a design decision since our KDC driver loads all objects
> with objectclass=ipaNTTrustedDomain from cn=ad,cn=trusts,$SUFFIX using
> subtree scope. With this design no changes were needed in ipa-kdb at all
> to support subdomains.
>

NACK, this patch breaks several conventions we use in the framework:

1) The object is named "subdomain", but the commands are named 
"trust_domain_*". Please use the object name as the base for command 
names. I would suggest renaming the object to "trustdomain", as the 
framework does not allow underscores in object names, and "subdomain" 
sounds a little bit too generic.

2) There is already support for objects inside objects in the framework, 
there's no need to reinvent this. See the parent_object attribute of 
LDAPObject and the dns plugin for practical example.

3) Create commands are usually named "*_add", not "*_create".

4) The "trust_domain_fetch" command gives the impression it operates on 
top of a trust domain, but it actually operates on top of a trust. I 
think it should be renamed to better reflect this.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list