I have looked at the testplan[1] and have the following comments:

In general LGTM, but I miss the following test scenarios:

1.) Test principal alias removal, more specifically test that the removal of the alias equivalent to the canonical name triggers an error

2.) Test that you cannot create an enterprise principal alias whose suffix overlaps with trusted domains UPN[2]. You do not need trust for this, just a domain entry in LDAP, see `test_xmlrpc/test_range_plugin.py` and MockLDAP class for hints.

Basically you should get an error when adding principal alias such as 'user\@trusted.domain.upn@REALM' regardless of the case of 'trusted.domain.upn'.

3.) test that when adding alias to an entry lacking 'krbcanonicalname' (e.g. old entry from upgrade), the existing value of 'krbprincipalname' is copied to the attribute

That is all I can currently think of off the top of my head.

[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases/Test_Plan
[2] http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
Martin^3 Babinsky

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to