On Tue, 11 Jun 2013, Martin Kosek wrote:
2) Is the used ldapsearch really the best way to find out if Trust is
configured on a given master? Isn't a search in cn=masters,cn=ipa,... better?
What would the search in cn=masters,cn=ipa,.. give?
We can have multiple CIFS services per realm. However, only those in
'adtrust agents' group are the ones which are real DCs. And since
membership in the group is not handled via framework or UI, it is clear
indication that ipa-adtrust-install was run.
It would say if there as an appropriate service configured by
ipa-adtrust-install. In this case,
"cn=ADTRUST,cn=FQDN,cn=masters,cn=ipa,cn=etc,SUFFIX. I am asking because this
is a standard way in FreeIPA to ask for configured services.
If that does not work for Trust, then your alternative way should be OK too.
This would work for making sure that ipa-adtrust-install was run on a
specific server. It will not work for making sure trusts are enabled
but in this case we only need to know that we have configured the host
to be a DC so your approach is fine.
I'm fine to use this approach, somehow it slipped out of my view when we
discussed it with Ana..
/ Alexander Bokovoy
Freeipa-devel mailing list