[Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

Tomas Babej tbabej at redhat.com
Thu Feb 14 09:05:30 UTC 2013 

On 02/12/2013 06:58 PM, Petr Vobornik wrote:
> On 02/04/2013 05:23 PM, Tomas Babej wrote:
>> Hi,
>>
>> When adding/modifying an ID range for a trusted domain, the newly
>> added option --dom-name can be used. This looks up SID of the
>> trusted domain in LDAP and therefore the user is not required
>> to write it down in CLI. If the lookup fails, error message
>> asking the user to specify the SID manually is shown.
>>
>> https://fedorahosted.org/freeipa/ticket/3133
>>
>> Tomas
>>
>>
>
> Just wondering: How bad would it be to not introduce new virtual 
> attribute and just use the ipanttrusteddomainsid. On add and mod (when 
> ipanttrusteddomainsid is set) we would check if ipanttrusteddomainsid 
> is SID. If not, it would be treated as domain name and 
> get_trusted_domain_sid_from_name method will be used to get the SID.
>
> I'm asking because I don't really like virtual and standard attributes 
> for the same ldap attribute in a mod command. In WEB UI details page 
> we have to display only one field - ipanttrusteddomainsid.
>
> So we are left with options:
>   1) do not use this feature for mod operations in Web UI
>   2) enter domain name in ipanttrusteddomainsid field, implement the 
> aforementioned check in Web UI and fill the correct option in RPC request
>   3) add special action into action list which will open new dialog, 
> user will enter domain name, mod command with ipanttrusteddomainname 
> set will be executed on confirmation
>   4) some other method
>
> I don't really like any of the options. If a SID check is an easy 
> operation, we can go with #2, but I would still rather see this logic 
> in server plugin.

Just for the record, after a short discussion with Petr we decided to 
keep the virtual attribute ipatrustedomainname as it is. The idea of 
having ipatrusteddomainsid do two different things seems rather 
confusing, and in the end would be probably less user-friendly. In the 
WebUI, user should be able to enter SID using either domain name or 
domain SID. The proposal is that user would be able to either modify 
domain SID or enter domain name (and therefore modify SID).

Tomas

More information about the Freeipa-devel mailing list