On 04/12/2013 12:20 PM, Ana Krivokapic wrote: > On 04/11/2013 03:03 PM, Alexander Bokovoy wrote: >> On Thu, 11 Apr 2013, Ana Krivokapic wrote: >>> On 04/11/2013 01:43 PM, Alexander Bokovoy wrote: >>>> On Thu, 11 Apr 2013, Petr Spacek wrote: >>>>> On 11.4.2013 13:24, Alexander Bokovoy wrote: >>>>>> On Thu, 11 Apr 2013, Petr Spacek wrote: >>>>>>> On 11.4.2013 13:09, Ana Krivokapic wrote: >>>>>>>> Integrate realmdomains with IPA DNS >>>>>>>> >>>>>>>> Add an entry to realmdomains when a DNS zone is added to IPA. >>>>>>>> Delete the >>>>>>>> related entry from realmdomains when the DNS zone is deleted from >>>>>>>> IPA. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/3544 >>>>>>> >>>>>>> I would add a TXT record as I described in >>>>>>> https://fedorahosted.org/freeipa/ticket/3544#comment:8 >>>>>>> >>>>>>> This integration probably should go to both commands, realmdomains-* >>>>>>> dnszone-*. >>>>>>> >>>>>>> Any objections? AB? >>>>>> Adding TXT record is probably harmless. >>>>>> >>>>>> I would actually add the TXT record creation only to realmdomains-* and >>>>>> trigger it only in case we manage our DNS and DNS zone is there. >>>>>> This way a hook from dnszone-add will trigger adding TXT record back >>>>>> (via call to >>>>>> realmdomains-mod --add and then TXT record addition from there). Also >>>>>> the fact that admin added manually some domain to realmdomains mapping >>>>>> means that it is implied to be used in obtaining TGTs, so TXT record is >>>>>> helpful there as well. >>>>> >>>>> Okay, it makes sense. We will see how it will work in reality. >>>> >>>> One more thing to check is that we don't do this for our own domain. >>>> >>> >>> Our own domain is already in realmdomains by default, and it cannot be >>> removed from there. So I don't think any check related to our domain is >>> necessary. >> We shouldn't start creating TXT records for our own domain, that's what >> I'm asking for here. >> >> Think about server install stage -- we start creating our own domain and >> the hook then causes to create realmdomains entry for the domain, >> causing realmdomains-mod code to raise ValidationError which is not >> handled in dnszone-add code with this patch. >> >> Same for TXT record creation starting from realmdomains-mod side -- it >> simply should avoid calling dnsrecord-add for the case we know wouldn't >> work. >> > > I just realized that this ticket was not marked as RFE although it obviously > is > one. I fixed the ticket summary and wrote the design page for this > enhancement: > > http://www.freeipa.org/page/V3/DNS_realmdomains_integration >
Right, that was a good thing to do. I just have comment for the UPN enumeration image which you linked in the RFE - can you please process it, upload to the wiki and include in the overview? This will make the RFE page more appealing and it will also prevent us from having a broken link when Alexander removes the file from his temporary directory. Thanks, Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel