[Freeipa-devel] [PATCH 0325] Add Domain Level feature

Jan Cholasta jcholast at redhat.com
Tue May 19 13:40:15 UTC 2015 

Dne 19.5.2015 v 15:22 Tomas Babej napsal(a):
>
>
> On 05/14/2015 11:48 AM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
>>> Hi,
>>>
>>> this patch implements the domain level feature.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5018
>>>
>>> Tomas
>>
>> 1)
>>
>> +# Create entry proclaiming Domain Level support of this master
>> +# This will update the supported Domain Levels during upgrade
>> +dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
>> +default: objectClass: top
>> +default: objectClass: nsContainer
>> +default: objectClass: ipaConfigObject
>> +default: objectClass: ipaSupportedDomainLevelConfig
>> +only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
>> +only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
>>
>> The design states that supported domain levels should be stored
>> directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree with
>> that - there is no reason to have this information in a separate entry.
>
> I agree, this is an error on my part - I read the design as stored in
> entry under cn=$FQDN,cn=masters, not in the entry itself.

Maybe we can also rename ipaSupportedDomainLevelConfig to ipaMaster?

>
>>
>>
>> 2) I though we agreed to call the command domainlevel-set instead of
>> domainlevel-raise:
>> <https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html>.
>
> Fixed.
>
>>
>>
>> 3) Domain level is just a single integer and it should be treated as
>> such, there's no need for an LDAPObject plugin and other unnecessary
>> complexities. The implemetation could be as simple as (from top of my
>> head, untested):
>
> That's right, I also considered this approach, but as far as I know you
> do not get the permission handling for the global DomainLevel entry
> otherwise.

The proper thing to do in such cases is to add the permissions to 
NONOBJECT_PERMISSIONS in 
ipaserver.install.plugins.update_managed_permissions.

>
> Ludwig, I changed the path for the global entry to cn=DomainLevel.
>
> Updated patch attached.
>
> Tomas


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list