On Wed, 17 Oct 2012, Martin Kosek wrote:
On 10/17/2012 12:52 PM, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 06:05:02PM +0300, Alexander Bokovoy wrote:
Hi,
this patch originated from off-list discussion regarding multiple runs
of ipa trust-add against the same domain.
Since trust-add re-establishes the trust every time it is run and all
the other information fetched from the remote domain controller stays
the same, it can be run multiple times. The only change would occur is
update of trust relationship credentials -- they are supposed to be
updated periodically by underlying infrastructure anyway.
So the patch adds some clarity to the help and changes summary message
when trust was re-established instead of created.
--
/ Alexander Bokovoy
ACK
Btw, another useful feature of allowing to run trust-add multiple times
is to re-established the trust if it was deleted only on one side, AD or
IPA. Having a separate command for this would make no sense because it
would be basically be an alias to trust-add.
bye,
Sumit
I am still a bit worried about our consistency with IPA command help
indentation. You have it indented with trust-add command:
# ipa help trust-add
Purpose: Add new trust to use.
This command establishes trust relationship to another domain
which becomes 'trusted'. As result, users of the trusted domain
may access resources of this domain.
...
A fix is attached.
--
/ Alexander Bokovoy
>From 44550cf83aac289363e3ca2acc789bc81cef351d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 10 Oct 2012 15:33:50 +0300
Subject: [PATCH 5/5] Clarify trust-add help regarding multiple runs against
the same domain
Since trust-add re-establishes the trust every time it is run and all the other
information fetched from the remote domain controller stays the same, it
can be run multiple times. The only change would occur is update of
trust relationship credentials -- they are supposed to be updated
periodically by underlying infrastructure anyway.
---
ipalib/plugins/trust.py | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
845f96e1fdd09d1e85f6f900d3f1c241445b9c6b..8632d42df578d81b6fdbcd9e5be8979994699206
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -179,7 +179,19 @@ def make_trust_dn(env, trust_type, dn):
return dn
class trust_add(LDAPCreate):
- __doc__ = _('Add new trust to use')
+ __doc__ = _('''
+Add new trust to use.
+
+This command establishes trust relationship to another domain
+which becomes 'trusted'. As result, users of the trusted domain
+may access resources of this domain.
+
+Only trusts to Active Directory domains are supported right now.
+
+The command can be safely run multiple times against the same domain,
+this will cause change to trust relationship credentials on both
+sides.
+ ''')
takes_options = LDAPCreate.takes_options + (
StrEnum('trust_type',
@@ -309,6 +321,11 @@ class trust_add(LDAPCreate):
reason=_('''Cannot perform join operation without own domain
configured.
Make sure you have run ipa-adtrust-install on
the IPA server first'''))
+ try:
+ existing_trust = api.Command['trust_show'](keys[-1])
+ summary = _('Re-established trust to domain "%(value)s"')
+ except errors.NotFound:
+ summary = self.msg_summary
# 1. Full access to the remote domain. Use admin credentials and
# generate random trustdom password to do work on both sides
if 'realm_admin' in options:
@@ -360,14 +377,19 @@ class trust_add(LDAPCreate):
raise errors.ValidationError(name=_('AD Trust setup'),
error=_('Unable to verify write
permissions to the AD'))
- return dict(value=trustinstance.remote_domain.info['dns_domain'],
verified=result['verified'])
+ ret = dict(value=trustinstance.remote_domain.info['dns_domain'],
verified=result['verified'])
+ ret['summary'] = summary % ret
+ return ret
+
# 2. We don't have access to the remote domain and trustdom password
# is provided. Do the work on our side and inform what to do on remote
# side.
if 'trust_secret' in options:
result = trustinstance.join_ad_ipa_half(keys[-1], realm_server,
options['trust_secret'])
- return dict(value=trustinstance.remote_domain.info['dns_domain'],
verified=result['verified'])
+ ret = dict(value=trustinstance.remote_domain.info['dns_domain'],
verified=result['verified'])
+ ret['summary'] = summary % ret
+ return ret
raise errors.ValidationError(name=_('AD Trust setup'),
error=_('Not enough arguments specified
to perform trust setup'))
--
1.7.12
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
