On 22.10.2015 16:13, Martin Basti wrote:
> On 22.10.2015 10:44, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/5181
>>
>>
>>
> 
> Thank you for the patch.
> 
> 1)
> +OPTIONAL_SERVICES = {
> +    'DNS',
> +    'CA',
> +    'KRA',
> +    'ADTRUST',
> +    'EXTID',
> +    'DNSKeyExporter',
> +    'DNSSEC',
> +    'DNSKeySync',
> +}
> 
> This did not scale well, maybe we should improve it to use some general
> solution for whole IPA to distinct mandratory and optionl service, but I do
> not know how (or if it is possible)

Personally I would not create 'generic' solution until necessary. We have too
much 'generic' code which was never tested outside the single use-case we
have. Let's generalize it when needed.


> 2)
> +        search_filter=('(&(objectclass=ipaConfigObject)'
> +                       '(ipaConfigString=enabledService))')
> 
> Common user cannot read ipaConfigString, so this will work only for admins, I
> do not see any limitations of access in code for other users.

I think that this is okay. The user will see exactly what LDAP ACI allows him
to see, i.e. nothing. We do the same with DNS, for example.


4) Could you extend ipa server-find with an option to search for servers with
a particular optional service? I think that it would be handy to do something 
like
$ ipa server-find --service=CA
to see list of CA servers.

Thank you!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to