On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: > On Mon, 25 Jun 2012, Alexander Bokovoy wrote: > >On Mon, 25 Jun 2012, Sumit Bose wrote: > >>Hi Alexander, > >> > >>On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: > >>>Hi! > >>> > >>>Attached is the patch to support external group membership for trusted > >>>domains. This is needed to get proper group membership with the work > >>>Sumit and Jan are doing on both IPA and SSSD sides. > >>> > >>>We already have ipaExternalGroup class that includes ipaExternalMember > >>>attribute (multivalued case-insensitive string). The group that has > >>>ipaExternalGroup object class will have to be non-POSIX and > >>>ipaExternalMember > >>>attribute will contain security identifiers (SIDs) of members from > >>>trusted domains. > >>> > >>>The patch takes care of three things: > >>>1. Extends 'ipa group-add' with --external option to add > >>> ipaExternalGroup object class to a new group > >>>2. Modifies 'ipa group-add-member' to accept --external CSV argument > >>> to specify SIDs > >>>3. Modifies 'ipa group-del-member' to allow removing external members. > >> > >>thank you for the patch, it works as expected, but I have a few > >>comments: > >> > >>- there is a trailing whitespace at the end of the "This means we can't > >> check the correctness of a trusted domain SIDs" line > >>- when using ipa group-add-member with --external there are still prompt > >> for [member user] and [member group], can those be suppressed? > >>- with ipa group-mod --posix it is possible to add the posxiGroup > >> objectclass together with a GID to the extern group object. This > >> should result in an error and also the other way round, adding > >> --external to Posix groups. > >Updated patch is attached. It fixes whitespace and group-mod. > New revision.
Thank you. This version works well in my tests, so ACK. It would be nice if someone can have a short look at the changes to baseldap.py to see if there are any unexpected side effects. bye, Sumit > > > -- > / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
