[Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

Dmitri Pal dpal at redhat.com
Fri Mar 23 16:08:22 UTC 2012 

On 03/23/2012 11:57 AM, Sumit Bose wrote:
> On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote:
>> On 03/23/2012 08:52 AM, Sumit Bose wrote:
>>> Hi,
>>>
>>> these two patches introduce a new extended operation to the IPA server
>>> which can be used by clients in the IPA domain to obtain information
>>> about users and groups from trusted domains. Currently this exop is used
>>> by the sssd sub-domain patch to map user names from a trusted AD domain
>>> to a SID and back. There is also some code for other kind of requests
>>> which might become useful in future, e.g. with trusted IPA domain.
>> Are the mappings cached on the SSSD side?
> Yes in the sense that the whole user entry, which is the result of the
> mapping, is cached on the SSSD side.
>
And it is already done or planned, tracked?


>>> I added some unit test and added check for the check unit test framework
>>> for C (http://check.sourceforge.net/) which is used by sssd as well. I
>>> modified the spec file that the test is run during the build of the
>>> packages. I hope this is ok.
>>>
>>> The patches depend on the idmap library patch which was ACKed recently
>>> on sssd-devel and as mentioned before the sub-domain patches on
>>> sssd-devel can only be fully tested with an IPA server which has these
>>> patches applied.
>>>
>>> Since Alexander is currently rewriting parts of the ipa-adtrust-install
>>> utility I stand back from adding activation code for the exop to
>>> ipa-adtrust-install and will send a patch when Alexander's changes are
>>> available. So currently extdom-extop-conf.ldif has to be loaded manually
>>> after replacing $SUFFIX to activate the new exop.
> I forgot to mention that for the time being winbind has to be started on
> the IPA server as well. For stability reasons the exop does not try to
> connect to the remote servers itself, but uses a local winbind instance
> to get to data (one of the positive side effects is that the mapping is
> cached by winbind, so that it is available to all clients in the IPA
> domain, even if the connection to the remote server is down). The plan
> is to replace winbind with a daemon of our own, but since winbind does
> what we need without extra configuration this is very low priority.
>
> I will the add the automatic startup of winbind in the patch which
> activated the exop. For now it has to be started manually.
>
> bye,
> Sumit
>
>>> bye,
>>> Sumit
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list