----- Original Message -----
> From: "Alexander Bokovoy" <aboko...@redhat.com>
> To: "Sumit Bose" <sb...@redhat.com>
> Cc: freeipa-devel@redhat.com
> Sent: Wednesday, January 15, 2014 7:00:57 PM
> Subject: Re: [Freeipa-devel] [PATCH] 0133 Use standard_list_of_entries for 
> trust-resolve
> 
> On Wed, 15 Jan 2014, Sumit Bose wrote:
> >On Wed, Jan 15, 2014 at 07:24:00PM +0200, Alexander Bokovoy wrote:
> >> On Wed, 15 Jan 2014, Alexander Bokovoy wrote:
> >> >Hi!
> >> >
> >> >When looking into https://fedorahosted.org/freeipa/ticket/4113, I
> >> >decided to use output.standard_list_of_entries instead of a locally
> >> >defined list of entries. This solves the problem with wrong exit code in
> >> >CLI when non-resolvable SID is given, but only for a single SID. If
> >> >multiple SID specified and some of them were not resolved, the exit code
> >> >will still be 0 (success) but truncated flag will be set. This
> >> >corresponds to the framework behavior in other cases.
> >> Thanks to Sumit, here is updated patch because I forgot to run makeapi
> >> ;(
> >>
> >> :)
> >
> >Currently I see:
> >
> >[sbose@ipa18-devel freeipa]$ ipa trust-resolve --sids sdfasdf
> >-------------------------------
> >Resolved 0 security identifiers
> >-------------------------------
> >----------------------------
> >Number of entries returned 0
> >----------------------------
> >[sbose@ipa18-devel freeipa]$ echo $?
> >1
> >
> >Would it be possible to return only one of the summaries to the user?
> >Otherwise the patch works as expected and the output is better than the
> >empty one before.
> May be invert summary and tell how many security identifiers were not
> resolved?

I am personally not convinced this is the right way to fix #4113, for several 
reasons:

1) The output modification will most probably break FreeIPA 3.2.x or FreeIPA 
3.3.x clients who expect different output (the command was introduced in 
https://fedorahosted.org/freeipa/ticket/3302).

2) I do not think this output is really giving better experience for users. 
When I get 0 results, does it mean that SID is wrong? Or it is correct but not 
existent in AD? Or is it correct, existent in AD but SSSD is broken?

Instead of checking $?, I would rather expect appropriate errors to be returned 
- errors.NotFound, errors.ValidationError. Maybe we should return entries for 
all SIDs but instead of filling sid, name and type for each entry, we would 
fill "sid" and "error" with appropriate error. Would that help?

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to