On Thu, 13 Mar 2014, Martin Kosek wrote:
On 03/13/2014 01:01 PM, Alexander Bokovoy wrote:
On Thu, 13 Mar 2014, Martin Kosek wrote:
On 03/13/2014 12:45 PM, Tomas Babej wrote:
Hi,
Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.
https://fedorahosted.org/freeipa/ticket/4247
This is a very complicated validation procedure IMO. Lot of subcommands, lot of
LDAP searches.
Why can't we do just one LDAP search with
- base api.env.container_trusts
- scope SUB
- filter (&(objectclass=ipaNTTrustedDomain)(ipanttrusteddomainsid=range_sid))
When errors.NotFound is raised, we are OK. When it is not raised, we have a
problem.
Wouldn't it be simpler?
No. Please do not do optimization here. It is a code that is called very
rarely and expressiveness is more important here than optimizing access
to couple of entries in LDAP.
I am not optimizing - I am actually making the validation much simpler. What is
more simple and straightforward?
A) One ldap.find_entries call
B) A loop, numerous subcommands and LDAP searches
So far I've been successful in keeping details on how trust objects are
represented in LDAP hidden from the rest of the framework code by
encapsulating it all in trust.py. The change you propose will
make it leaking to idrange.py. If we start changing the structure (which
is maintained by ipasam module, not the framework), we will have more
maintenance problems with the code spread out.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
