On 03/23/2012 11:57 AM, Sumit Bose wrote: > On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote: >> On 03/23/2012 08:52 AM, Sumit Bose wrote: >>> Hi, >>> >>> these two patches introduce a new extended operation to the IPA server >>> which can be used by clients in the IPA domain to obtain information >>> about users and groups from trusted domains. Currently this exop is used >>> by the sssd sub-domain patch to map user names from a trusted AD domain >>> to a SID and back. There is also some code for other kind of requests >>> which might become useful in future, e.g. with trusted IPA domain. >> Are the mappings cached on the SSSD side? > Yes in the sense that the whole user entry, which is the result of the > mapping, is cached on the SSSD side. > And it is already done or planned, tracked?
>>> I added some unit test and added check for the check unit test framework >>> for C (http://check.sourceforge.net/) which is used by sssd as well. I >>> modified the spec file that the test is run during the build of the >>> packages. I hope this is ok. >>> >>> The patches depend on the idmap library patch which was ACKed recently >>> on sssd-devel and as mentioned before the sub-domain patches on >>> sssd-devel can only be fully tested with an IPA server which has these >>> patches applied. >>> >>> Since Alexander is currently rewriting parts of the ipa-adtrust-install >>> utility I stand back from adding activation code for the exop to >>> ipa-adtrust-install and will send a patch when Alexander's changes are >>> available. So currently extdom-extop-conf.ldif has to be loaded manually >>> after replacing $SUFFIX to activate the new exop. > I forgot to mention that for the time being winbind has to be started on > the IPA server as well. For stability reasons the exop does not try to > connect to the remote servers itself, but uses a local winbind instance > to get to data (one of the positive side effects is that the mapping is > cached by winbind, so that it is available to all clients in the IPA > domain, even if the connection to the remote server is down). The plan > is to replace winbind with a daemon of our own, but since winbind does > what we need without extra configuration this is very low priority. > > I will the add the automatic startup of winbind in the patch which > activated the exop. For now it has to be started manually. > > bye, > Sumit > >>> bye, >>> Sumit >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel