Replying to one part only:
On 10/21/2013 04:50 PM, Tomas Babej wrote:
On 10/16/2013 03:44 PM, Petr Viktorin wrote:
I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).
But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].
I would rather not join IPA and AD domains as they even cannot be in the
same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.
You're right that they should never share the same domain. But you
should never say never, especially in testing -- what if we'll want to,
in the future, test that the records *do* clash, or that IPA refuses to
install in an AD domain?
Another problem is that they are now separate namespaces. In all code
that deals with domains you have to deal separately with the list of AD
domains and separately with IPA domains. This makes every piece of code
that doesn't care much about what type of domain it's dealing with
(configuration, listing, possible automation scripts for turning on the
VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite hard,
especially after more code is written with this split in mind.
Do keep the domain type, though. tl;dr I'd really prefer "domain 1
(IPA); domain 2 (AD)" rather than "IPA domain 1; AD domain 1".
If needed we can have a special check that would reject IPA masters in
AD domains and vice versa, if that really turns out to be necessary.
As we already pass ad_domain flag to Domain.from_env, I did incorporate
code that joins the machines to the domain depending on the their role.
Is that a viable solution for you?
Sorry. I think this design is less sustainable than having a shared
namespace for the domains.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
