On 10/22/2013 02:15 PM, Tomas Babej wrote:
On 10/22/2013 12:27 PM, Tomas Babej wrote:
On 10/22/2013 10:37 AM, Petr Viktorin wrote:
Replying to one part only:
On 10/21/2013 04:50 PM, Tomas Babej wrote:
On 10/16/2013 03:44 PM, Petr Viktorin wrote:
I still think it would be simpler if IPA and AD domains shared the
numbering namespace (users would need to define $AD_env2; if they had
$MASTER_env1 and $AD_env1 they would be in the same Domain).
But if we use _env1 for both the AD and the IPA domain, they need to
be separated in Domain.from_env. With patch 0101 both MASTER_env1 and
AD_env1 will be in both domains[0] and ad_domains[0].
I would rather not join IPA and AD domains as they even cannot be
in the
same domain, as the service records would clash. So these will
always be separate / sub / super domain relationship.
You're right that they should never share the same domain. But you
should never say never, especially in testing -- what if we'll want
to, in the future, test that the records *do* clash, or that IPA
refuses to install in an AD domain?
You could still set AD_env1 and MASTER_env1 to have the same domain.
Another problem is that they are now separate namespaces. In all
code that deals with domains you have to deal separately with the
list of AD domains and separately with IPA domains. This makes every
piece of code that doesn't care much about what type of domain it's
dealing with (configuration, listing, possible automation scripts
for turning on the VMs, etc.) more complicated.
Also, in this scheme, adding a new type of domain would be quite
hard, especially after more code is written with this split in mind.
Do keep the domain type, though. tl;dr I'd really prefer "domain 1
(IPA); domain 2 (AD)" rather than "IPA domain 1; AD domain 1".
This will, however, require filtering the domains depending on the
fact whether they contain AD or not. If a testcase wants to access an
AD domain, it will still need to loop over the list of domains to see
which ones are of AD type.
Any code that does not care what domain type it's dealing with, can
easily access all the domains by chaining the respective iterables.
We could have a wrapper in the Config class for that, along the lines
of get_all_domains().
So what I see here is that we're trading one complexity over another.
I think we can agree on your approach since it hides the complexity
from the user, especially in the ipa-test-config, which I admit is
getting rather ugly, as we need to introduce new option there and
that causes splitting.
If needed we can have a special check that would reject IPA masters
in AD domains and vice versa, if that really turns out to be necessary.
With this check we should be fine.
As we already pass ad_domain flag to Domain.from_env, I did
incorporate
code that joins the machines to the domain depending on the their
role.
Is that a viable solution for you?
Sorry. I think this design is less sustainable than having a shared
namespace for the domains.
I'll send revised patchset soon.
Updated patchset attached.
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
Attaching the patch 100 I missed.
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 6f2dc306542540f0db1c27f4efc301574bfdcf60 Mon Sep 17 00:00:00 2001
From: Tomas Babej <[email protected]>
Date: Wed, 4 Sep 2013 14:12:28 +0200
Subject: [PATCH 100/107] ipatests: Add Active Directory support to
configuration
Part of: https://fedorahosted.org/freeipa/ticket/3834
---
ipatests/man/ipa-test-config.1 | 20 +++++++++++++++++++-
ipatests/test_integration/config.py | 30 ++++++++++++++++++++++++++++--
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/ipatests/man/ipa-test-config.1 b/ipatests/man/ipa-test-config.1
index 4b998adb4f65265f4b0cfc49cac2979740562db5..a2fa96b57129b5adad3c15cfe7e97b8a6c9724d0 100644
--- a/ipatests/man/ipa-test-config.1
+++ b/ipatests/man/ipa-test-config.1
@@ -69,6 +69,11 @@ These are normally included for backwards compatibility.
.SH "ENVIRONMENT VARIABLES"
.TP
+Domain configuration:
+ Domain is implicitly defined by _envX suffix of the environment variables,
+ if either AD_envX or MASTER_envX is defined.
+
+.TP
Host configuration:
.TP
@@ -81,9 +86,14 @@ Host configuration:
\fB$CLIENT\fR
FQDNs of IPA clients (space-separated)
.TP
-\fB$MASTER_env2\fR, \fB$REPLICA_env2\fR, \fB$CLIENT_env2\fR, \fB$MASTER_env3\fR, ...
+\fB$MASTER_env2\fR, \fB$REPLICA_env2\fR, \fB$CLIENT_env2\fR, \fB$MASTER_env3\fR, \fB$AD_env4\fR,...
can be used for additional domains when needed
.TP
+\fB$AD_env1\fR, \fB$AD_env2\fR, \fB$AD_env3\fR, \fB$AD_env4\fR, ...
+ can be used to define Active Directory domains. Please note that these
+ domains are not separate from the IPA domains, so please use an unique
+ environment suffix for each of your Active Directory domains.
+.TP
\fB$BEAKER\fR<role><num>\fB_IP_env\fR<e>, e.g. \fB$BEAKERREPLICA1_IP_env1\fR
the IP address of the given host
Default: resolved via gethostbyname (or DNS if $IPv6SETUP is set)
@@ -139,6 +149,14 @@ Test customization:
Admin user password
Default: Secret123
.TP
+\fB$ADADMINID\fR
+ Active Directory Administrator username
+ Default: Administrator
+.TP
+\fB$ADADMINPW\fR
+ Active Directory Administrator password
+ Default: Secret123
+.TP
\fB$ROOTDN\fR
Directory manager DN
Default: cn=Directory Manager
diff --git a/ipatests/test_integration/config.py b/ipatests/test_integration/config.py
index d43812c514bf1c9d23740e6f75cc3574235e86d3..ae271e575ba1cb727b10cbb508a15b73a53e3a88 100644
--- a/ipatests/test_integration/config.py
+++ b/ipatests/test_integration/config.py
@@ -1,5 +1,6 @@
# Authors:
# Petr Viktorin <[email protected]>
+# Tomas Babej <[email protected]>
#
# Copyright (C) 2013 Red Hat
# see file 'COPYING' for use and warranty information
@@ -50,12 +51,18 @@ class Config(object):
self.nis_domain = kwargs.get('nis_domain') or 'ipatest'
self.ntp_server = kwargs.get('ntp_server') or (
'%s.pool.ntp.org' % random.randint(0, 3))
+ self.ad_admin_name = kwargs.get('ad_admin_name') or 'Administrator'
+ self.ad_admin_password = kwargs.get('ad_admin_password') or 'Secret123'
if not self.root_password and not self.root_ssh_key_filename:
self.root_ssh_key_filename = '~/.ssh/id_rsa'
self.domains = []
+ @property
+ def ad_domains(self):
+ return filter(lambda d: d.type == 'AD', self.domains)
+
@classmethod
def from_env(cls, env):
"""Create a test config from environment variables
@@ -76,6 +83,8 @@ class Config(object):
ADMINPW: Administrator password
ROOTDN: Directory Manager DN
ROOTDNPWD: Directory Manager password
+ ADADMINID: Active Directory Administrator username
+ ADADMINPW: Active Directory Administrator password
DNSFORWARD: DNS forwarder
NISDOMAIN
NTPSERVER
@@ -83,6 +92,7 @@ class Config(object):
MASTER_env1: FQDN of the master
REPLICA_env1: space-separated FQDNs of the replicas
CLIENT_env1: space-separated FQDNs of the clients
+ AD_env1: space-separated FQDNs of the Active Directories
OTHER_env1: space-separated FQDNs of other hosts
(same for _env2, _env3, etc)
BEAKERREPLICA1_IP_env1: IP address of replica 1 in env 1
@@ -104,11 +114,23 @@ class Config(object):
dns_forwarder=env.get('DNSFORWARD'),
nis_domain=env.get('NISDOMAIN'),
ntp_server=env.get('NTPSERVER'),
+ ad_admin_name=env.get('ADADMINID'),
+ ad_admin_password=env.get('ADADMINPW'),
)
+ # Either IPA master or AD can define a domain
+
domain_index = 1
- while env.get('MASTER_env%s' % domain_index):
- self.domains.append(Domain.from_env(env, self, domain_index))
+ while (env.get('MASTER_env%s' % domain_index) or
+ env.get('AD_env%s' % domain_index)):
+
+ if env.get('MASTER_env%s' % domain_index):
+ # IPA domain takes precedence to AD domain in case of conflict
+ self.domains.append(Domain.from_env(env, self, domain_index,
+ domain_type='IPA'))
+ else:
+ self.domains.append(Domain.from_env(env, self, domain_index,
+ domain_type='AD'))
domain_index += 1
return self
@@ -133,6 +155,9 @@ class Config(object):
env['ROOTDN'] = str(self.dirman_dn)
env['ROOTDNPWD'] = self.dirman_password
+ env['ADADMINID'] = self.ad_admin_name
+ env['ADADMINPW'] = self.ad_admin_password
+
env['DNSFORWARD'] = self.dns_forwarder
env['NISDOMAIN'] = self.nis_domain
env['NTPSERVER'] = self.ntp_server
@@ -145,6 +170,7 @@ class Config(object):
for role, hosts in [('MASTER', domain.masters),
('REPLICA', domain.replicas),
('CLIENT', domain.clients),
+ ('AD', domain.ads),
('OTHER', domain.other_hosts)]:
hostnames = ' '.join(h.hostname for h in hosts)
env['%s%s' % (role, domain._env)] = hostnames
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
