[Freeipa-devel] [PATCH] 0154-0158 improve trust operations
Sumit Bose
sbose at redhat.com
Fri Aug 29 09:56:13 UTC 2014
On Fri, Aug 29, 2014 at 12:35:05PM +0300, Alexander Bokovoy wrote:
> On Fri, 29 Aug 2014, Sumit Bose wrote:
> >On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote:
> >>Hi!
> >>
> >>Attached patchset improves trust operations:
> >>
> >>1. Ensures we only allow establishing trust to forest root domain
> >>2. Ensures that we select primary domain controllers
> >>3. Ensures first create trust and later set it to transitive state and
> >> update forest topology
> >>4. Relaxes filtering of domains obtained from AD side to allow some of
> >> possible topology combinations which were not accounted for
> >> previously
> >>5. Reverts to any PDC rather than a closest one if closest one is not
> >> available due to site mismanagement.
> >>
> >>Affected tickets:
> >> https://fedorahosted.org/freeipa/ticket/4463
> >> https://fedorahosted.org/freeipa/ticket/4479
> >> https://fedorahosted.org/freeipa/ticket/4458
> >>
> >>The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1
> >>branches).
> >>
> >>They were tested with Windows Server 2008R2 and Windows Server 2012
> >>environments.
> >
> >Patches are looking good and I didn't found any issue in my tests, ACK.
> >
> >I only have a question about 158. I wonder if the admin calling ipa
> >trust-add would be interested to see that setting the transitive
> >attribute failed? Currently it is buried in the logs so chances are the
> >nobody will recognise it.
> Unfortunately, we don't have means in the framework to return warnings
> nicely formatted and separated from the original output. Thus, I decided
> to leave it as it is, without additional Python exception raising
> because one can easily see the error message when enabling debug output,
> even without restarting Apache.
ok, I see.
bye,
Sumit
> --
> / Alexander Bokovoy
More information about the Freeipa-devel
mailing list