Dne 19.5.2015 v 15:22 Tomas Babej napsal(a):



On 05/14/2015 11:48 AM, Jan Cholasta wrote:
Hi,

Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
Hi,

this patch implements the domain level feature.

https://fedorahosted.org/freeipa/ticket/5018

Tomas

1)

+# Create entry proclaiming Domain Level support of this master
+# This will update the supported Domain Levels during upgrade
+dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: objectClass: ipaConfigObject
+default: objectClass: ipaSupportedDomainLevelConfig
+only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
+only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL

The design states that supported domain levels should be stored
directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree with
that - there is no reason to have this information in a separate entry.

I agree, this is an error on my part - I read the design as stored in
entry under cn=$FQDN,cn=masters, not in the entry itself.

Maybe we can also rename ipaSupportedDomainLevelConfig to ipaMaster?




2) I though we agreed to call the command domainlevel-set instead of
domainlevel-raise:
<https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html>.

Fixed.



3) Domain level is just a single integer and it should be treated as
such, there's no need for an LDAPObject plugin and other unnecessary
complexities. The implemetation could be as simple as (from top of my
head, untested):

That's right, I also considered this approach, but as far as I know you
do not get the permission handling for the global DomainLevel entry
otherwise.

The proper thing to do in such cases is to add the permissions to NONOBJECT_PERMISSIONS in ipaserver.install.plugins.update_managed_permissions.


Ludwig, I changed the path for the global entry to cn=DomainLevel.

Updated patch attached.

Tomas


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to