[Freeipa-devel] [PATCH 0030] Require rid-base and secondary-rid-base options in idrange-add when trust exists
Petr Viktorin
pviktori at redhat.com
Mon Jun 24 12:31:10 UTC 2013
On 06/21/2013 03:59 PM, Tomas Babej wrote:
> On 06/21/2013 03:38 PM, Ana Krivokapic wrote:
>> On 06/21/2013 02:39 PM, Tomas Babej wrote:
>>> On 06/12/2013 07:06 PM, Ana Krivokapic wrote:
>>>> On 06/11/2013 06:44 PM, Alexander Bokovoy wrote:
>>>>> On Tue, 11 Jun 2013, Martin Kosek wrote:
>>>>>>>> 2) Is the used ldapsearch really the best way to find out if
>>>>>>>> Trust is
>>>>>>>> configured on a given master? Isn't a search in
>>>>>>>> cn=masters,cn=ipa,...
>>>>>>>> better?
>>>>>>>> Alexander?
>>>>>>> What would the search in cn=masters,cn=ipa,.. give?
>>>>>>>
>>>>>>> We can have multiple CIFS services per realm. However, only those in
>>>>>>> 'adtrust agents' group are the ones which are real DCs. And since
>>>>>>> membership in the group is not handled via framework or UI, it is
>>>>>>> clear
>>>>>>> indication that ipa-adtrust-install was run.
>>>>>> It would say if there as an appropriate service configured by
>>>>>> ipa-adtrust-install. In this case,
>>>>>> "cn=ADTRUST,cn=FQDN,cn=masters,cn=ipa,cn=etc,SUFFIX. I am asking
>>>>>> because this
>>>>>> is a standard way in FreeIPA to ask for configured services.
>>>>>>
>>>>>> If that does not work for Trust, then your alternative way should
>>>>>> be OK too.
>>>>> This would work for making sure that ipa-adtrust-install was run on a
>>>>> specific server. It will not work for making sure trusts are enabled
>>>>> but in this case we only need to know that we have configured the host
>>>>> to be a DC so your approach is fine.
>>>>>
>>>>> I'm fine to use this approach, somehow it slipped out of my view
>>>>> when we
>>>>> discussed it with Ana..
>>>>>
>>>>>
>>>> I amended the name of the new command to 'adtrust_is_enabled'. I
>>>> also simplified
>>>> the LDAP search used in the command, as suggested by Martin and
>>>> Alexander.
>>>>
>>>> Updated patch is attached.
>>>>
>>> Can you please rebase the patch? I think tests -> ipatests change is the
>>> culprit here.
>>>
>>> Tomas
>> Sure, rebased patch is attached.
>>
> ACK
>
> Tomas
Pushed to master.
--
Petr³
More information about the Freeipa-devel
mailing list