On Mon, 20 Oct 2014, Tomas Babej wrote:
What about filtering out 'Default Trust View' if no trusts are in place?
This would be a bit problematic for the case when you had trusts and
deleted them and currently have none of them but overrides are in place,
but at least it would be consistent -- you don't see default view and
you are not able to add there anything.

However, it raises another question: if no trusts exist right now but
there are some AD user overrides in any view, how would we display them?
We cannot resolve SIDs to names at this point so overrides will look
ugly anyway. We can use ipaOriginalUid for users but we don't have
anything like that for groups.

I think we should fail in the trust-del if there are any overrides tied
to this particular trust, unless --forced (which should be used only for
recreation of the trust).
I'd love to see a mass-removal tool per trusted domain then. Also,
removing trust does not mean overrides become invalid, only that they
become not editable or visible. They will not be enforced because trust
is not in place anyway.

Currently, we rely on resolving the user/group name to do any operation
on the ID override, so having the trust removed, you'd have to use LDAP
directly to remove the entries.
It should be fine to remove the trust, just that our code should be able
to deal with domain SIDs for mass removal of ID overrides.

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to