[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
Martin Kosek
mkosek at redhat.com
Fri Apr 18 13:40:59 UTC 2014
On 04/18/2014 01:55 PM, Petr Viktorin wrote:
> On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
>> On Thu, 17 Apr 2014, Simo Sorce wrote:
>>> On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
>>>> On 04/17/2014 07:11 PM, Petr Viktorin wrote:
>>>> > Hello,
>>>> > While working on the trust permissions I found a typo in the
>>>> > 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
>>>> fix.
>>>> >
>>>>
>>>> I think the right question to ask - do we want to have
>>>> ipanttrustauth{incoming,outgoing} in default attributes?
>>>>
>>>> I do not think so. It is supposed to hold a secret for the trust, I
>>>> do not
>>>> think you want it displayed on your terminal by default - even if you
>>>> have a
>>>> right to display it.
>>>
>>> Yep, should not be returned by default to any command line utility.
>> Agreed. I wanted to remove it too the other day but forgot to file a
>> ticket.
>>
>
> I see.
> Here is a patch to remove them.
>
Why did you remove SID blacklists from search_display_attributes? Is this what
we want?
It changes trust-find behavior from:
# ipa trust-find
---------------
1 trust matched
---------------
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
to
# ipa trust-find
---------------
1 trust matched
---------------
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
I am not saying it is necessarily a bad thing to do. It IMO actually makes find
output consistent with trust-show and better to read.
I would personally remove search_display_attributes all together since we are
poking in this part and let trust return default attributes in the trust-find
command.
Martin
More information about the Freeipa-devel
mailing list