[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name

Petr Viktorin pviktori at redhat.com
Tue Apr 22 11:41:47 UTC 2014 

On 04/18/2014 03:40 PM, Martin Kosek wrote:
> On 04/18/2014 01:55 PM, Petr Viktorin wrote:
>> On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
>>> On Thu, 17 Apr 2014, Simo Sorce wrote:
>>>> On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
>>>>> On 04/17/2014 07:11 PM, Petr Viktorin wrote:
>>>>>> Hello,
>>>>>> While working on the trust permissions I found a typo in the
>>>>>> 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
>>>>> fix.
>>>>>>
>>>>>
>>>>> I think the right question to ask - do we want to have
>>>>> ipanttrustauth{incoming,outgoing} in default attributes?
>>>>>
>>>>> I do not think so. It is supposed to hold a secret for the trust, I
>>>>> do not
>>>>> think you want it displayed on your terminal by default - even if you
>>>>> have a
>>>>> right to display it.
>>>>
>>>> Yep, should not be returned by default to any command line utility.
>>> Agreed. I wanted to remove it too the other day but forgot to file a
>>> ticket.
>>>
>>
>> I see.
>> Here is a patch to remove them.
>>
>
> Why did you remove SID blacklists from search_display_attributes? Is this what
> we want?

Oops, a mistake on my part.

> It changes trust-find behavior from:
>
> # ipa trust-find
> ---------------
> 1 trust matched
> ---------------
>    Realm name: tbad.example.com
>    Domain NetBIOS name: TBAD
>    Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
>    SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4,
>                            S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
> S-1-5-14, S-1-5-13, S-1-5-12,
>                            S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
> S-1-5-19, S-1-5-18
>    SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4,
>                            S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
> S-1-5-14, S-1-5-13, S-1-5-12,
>                            S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
> S-1-5-19, S-1-5-18
>    Trust type: Active Directory domain
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> to
>
> # ipa trust-find
> ---------------
> 1 trust matched
> ---------------
>    Realm name: tbad.example.com
>    Domain NetBIOS name: TBAD
>    Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
>    Trust type: Active Directory domain
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> I am not saying it is necessarily a bad thing to do. It IMO actually makes find
> output consistent with trust-show and better to read.
>
> I would personally remove search_display_attributes all together since we are
> poking in this part and let trust return default attributes in the trust-find
> command.
>
> Martin

Alexander, would you be okay with that?


-- 
Petr³

More information about the Freeipa-devel mailing list