On 9/25/2014 2:25 AM, Alexander Bokovoy wrote:
On Wed, 24 Sep 2014, Endi Sukma Dewata wrote:
4. If I understand correctly the description field for the User ID
Overrides and Group ID Overrides should be optional too because it's
also used to optionally override the description attribute of the
original entry.

No, this is description of the override itself. We don't want to
override original description field, if any, we want to provide a way to
document why this override was done.

In that case the 'description' probably should have been a MUST.

objectClasses: (2.16.840.1.113730.3.8.12.30 NAME 'ipaOverrideAnchor' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) MAY ( description ) X-ORIGIN 'IPA v4' )

BTW, the LDAP schema in the wiki page is outdated:
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust

6. Can multiple ID views be applied to the same host? Does the order
matter? If so, how would the UI manage the order?

No. Single ID view per host. The scheme is actually a bit more complex:
- IPA users: data from main tree is overridden with a data from a
   host-specific ID view
- AD users: data from AD is overridden by a data from a default trust
   view which is then overridden by a data from a host-specific ID view

OK, right now if I apply an ID view to a host that already uses another ID view, the host will be removed silently from the other ID view. Should the operation fail/provide a warning if the host already uses another ID view?

7. Related to #6, there probably should be a tab in the Host details
page showing which ID views apply to it.

There is only a single view and yes, it would be good to add a property
there, linking it to the ID view tab, if possible.

I think that field should be editable as well so you can select the ID view from Host details page.

9. This probably requires server support. In the "Apply to hosts"
association dialog, if a host is already added it will still appear in
the dialog box. As a comparison, a User that has been added into a
User Group will not appear in the association dialog anymore.

Could be trivially filtered out on Web UI side.

It may not be possible if the list of hosts is paged. The UI will not get the full list of hosts, so it won't be able to filter out hosts that are already added but not currently displayed. I'm not sure how important is this, but we did this for some other pages.

Since #4 is not a UI issue, patch #754 is ACKed. Other issues can be addressed later.

--
Endi S. Dewata

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to