[Freeipa-devel] Unused trusted range cannot be deleted

[Tomas Babej]

Hi,

please have a look at the following ticket:

https://fedorahosted.org/freeipa/ticket/3787

Basically the problem here is that we do not allow the deletion of a range that belongs to an active trust. This functionality was added in scope of 3.3 AFAIK.
However, the admin is not allowed to delete the range even if it is empty (i.e. if he added a range of a wrong type by mistake, and wants to delete it).

So, the rational conclusion here is that we should check if there are any objects in the range. However, such check can be expensive for deployments
with a large number of users and groups.

>From the discussion with Alexander:

(02:20:07 PM) ab: 1. search for existence of ID could be expensive for many users/groups
(02:20:43 PM) ab: 2. the fact that range is there and seemingly unused in LDAP does not mean there are no users of those IDs at file system
(02:20:51 PM) ab: and you cannot check (2) at all
(02:22:39 PM) ab: tbabej: if we ever adding something like that, it needs to come with LARGE banner
(02:22:55 PM) ab: because it is a tool to break the system

Still, running the ipa idrange-del command should not happen often (unlike, say, user-add) so performance should not be such an issue.

To address (2), maybe we should add an --force (or some other appropriately named) option, that would allow deletion of an range of an active trust,
if we find it to be empty (according to the LDAP).

As for the Web UI, this could be implemented via a checkbox option (we already have this functionality in some other dialogues).

Opinions?

Tomas