[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

Martin Kosek mkosek at redhat.com
Fri Apr 18 13:40:59 UTC 2014 

On 04/18/2014 01:55 PM, Petr Viktorin wrote:
> On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
>> On Thu, 17 Apr 2014, Simo Sorce wrote:
>>> On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
>>>> On 04/17/2014 07:11 PM, Petr Viktorin wrote:
>>>> > Hello,
>>>> > While working on the trust permissions I found a typo in the
>>>> > 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
>>>> fix.
>>>> >
>>>>
>>>> I think the right question to ask - do we want to have
>>>> ipanttrustauth{incoming,outgoing} in default attributes?
>>>>
>>>> I do not think so. It is supposed to hold a secret for the trust, I
>>>> do not
>>>> think you want it displayed on your terminal by default - even if you
>>>> have a
>>>> right to display it.
>>>
>>> Yep, should not be returned by default to any command line utility.
>> Agreed. I wanted to remove it too the other day but forgot to file a
>> ticket.
>>
> 
> I see.
> Here is a patch to remove them.
> 

Why did you remove SID blacklists from search_display_attributes? Is this what
we want?

It changes trust-find behavior from:

# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

to

# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

I am not saying it is necessarily a bad thing to do. It IMO actually makes find
output consistent with trust-show and better to read.

I would personally remove search_display_attributes all together since we are
poking in this part and let trust return default attributes in the trust-find
command.

Martin

More information about the Freeipa-devel mailing list