On Thu, 2013-02-28 at 13:02 +0100, Martin Kosek wrote:
> On 02/28/2013 12:42 PM, Sumit Bose wrote:
> > On Thu, Feb 28, 2013 at 08:44:35AM +0100, Martin Kosek wrote:
> >> On 02/27/2013 06:48 PM, Sumit Bose wrote:

> >> Hi Sumit,
> >>
> >> This looks like a good idea and would prevent the magic default PAC type, 
> >> yes.
> >> Though I would not add this service-specific setting to global IPA config 
> >> object.
> >>
> >> I would rather like to see that in the service tree, for example as a
> >> configuration option of the service root which could be controlled with
> >> serviceconfig-* commands (we already have dnsconfig, trustconfig), e.g:
> >>
> >> # ipa serviceconfig-add-pacmap --service=nfs --pac-type=NONE
> >> # ipa serviceconfig-add-pacmap --service=cifs --pac-type=PAD
> >> # ipa serviceconfig-show
> >>   Default PAC Map: nfs:NONE, cifs:PAD
> > 
> > Are you thinking of having this in addition to the for-all-services
> > default values in cn=ipaConfig,cn=etc or shall those be dropped? I don't
> > like the first case because then three different objects needs to be
> > consulted to find out which is the right type. This wouldn't be an issue
> > for the plugin, but I think it is hard for the user/admin to follow.
> 
> Hm, you are right.
> 
> > 
> > If the current defaults shall be dropped I think this is a major change
> > because it will require changes in the current CLI and WebUI which will
> > be visible to the users. I'm not against this change, I'm just wondering
> > if it is worth the effort for the next release?
> > 
> > Maybe an argument to keep this is in global default is that the settings
> > are used for the host/*.* services as well which are in a different
> > sub-tree of the cn=accounts container. Additionally in future we might
> > want apply those setting to the user TGTs as well?
> 
> Yeah, that was actually my point. That we are mixing service-specific PAC
> "rules" to the global setting. Which may be shared with host/*.* principals 
> and
> user principals. This automatic PAC rules may require some designing so that 
> is
> is generally usable.

I think putting everything in the general config is more understandable
and discoverable. These per-service defaults are basically exceptions to
the general rule so it make sense to keep everything together.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to