On Thu, 07 Jun 2012, Sumit Bose wrote:
On Fri, Mar 23, 2012 at 01:52:34PM +0100, Sumit Bose wrote:

these two patches introduce a new extended operation to the IPA server
which can be used by clients in the IPA domain to obtain information
about users and groups from trusted domains. Currently this exop is used
by the sssd sub-domain patch to map user names from a trusted AD domain
to a SID and back. There is also some code for other kind of requests
which might become useful in future, e.g. with trusted IPA domain.

I added some unit test and added check for the check unit test framework
for C (http://check.sourceforge.net/) which is used by sssd as well. I
modified the spec file that the test is run during the build of the
packages. I hope this is ok.

The patches depend on the idmap library patch which was ACKed recently
on sssd-devel and as mentioned before the sub-domain patches on
sssd-devel can only be fully tested with an IPA server which has these
patches applied.

Since Alexander is currently rewriting parts of the ipa-adtrust-install
utility I stand back from adding activation code for the exop to
ipa-adtrust-install and will send a patch when Alexander's changes are
available. So currently extdom-extop-conf.ldif has to be loaded manually
after replacing $SUFFIX to activate the new exop.


Please find a rebased version of the patches which work on top of
Alexander's latest series of patches. The patches now also contain the
loading of extdom-extop-conf.ldif and the activation of winbind.
Thanks for the rebase.

Few comments.

1.The extdom plugin should support IDMAP_BOTH. We do provide user private
groups so in our case it should be viewed as preferred output. Thus you
would need to add new response type to cover this case.

2. I have tried to look at the plugin description from point of view of
a system administrator and I failed to understand what it does:
+#define IPA_EXTDOM_PLUGIN_NAME   "ipa-extdom-extop"
+#define IPA_EXTDOM_PLUGIN_DESC   "IPA EXTDOM ID mapper Extended Operation 

In the ipa-extdom-extop-conf.ldif you have following description:
+nsslapd-plugindescription: Support resolving IDs in trusted domains to names 
and back
Probably it is better to reuse the same description in IPA_EXTDOM_PLUGIN_DESC?

This is a minor point but EXTDOM itself is vague. Maybe we should be more clear
and call it 'IPA trusted domain ID mapper' as it really limits itself to
only trusted domains? We don't dispatch winbind request if the domain is
not found in our list of trusted domains.

3. Could you please define the oid in ipa_extdom.h so that it could be
useful for client code as well?
+#define EXOP_EXTDOM_OID "2.16.840.1.113730."

4. Do we have 'check' tool in RHEL6?
/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to