On 07/07/2016 11:13 AM, Sumit Bose wrote:
On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote:
On Fri, 27 May 2016, Sumit Bose wrote:
On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote:
Hi all,


here [1] is a draft of test plan for V4 RFE Support of UPN for trusted
domains.

Please review this and let me know if there's something missing or wrong.
Hi Lenka,

thank you for the test plan.

About the TBD, Alexander and I agreed to store the alternative domain
suffixes read from AD in a new attribute in the LDAP object of the
forest root of the trusted domain.

About the kinit tests. Please note that it is expected that the -E
option of kinit must be used when alternative suffixes are used.

I'm not sure if SSSD tests are in the scope here as well. If they are I
would suggest to add authentication tests with SSSD where e.g. the name
with an alternative domain suffix is used as login name. This in general
already works with SSSD but is disabled by default for IPA because of
the missing server-side support so far. Since SSSD must be able to work
with old and new IPA server https://fedorahosted.org/sssd/ticket/3018
was created so that SSSD can detect at runtime if the server supports
this or not.
Right, I think we should make sure SSSD is tested against IPA UPN
support because otherwise we might get regressions.
Hi Lenka,

I would like to ask you to add test where 'kinit -E' is used with an IPA
user as well to avoid regression, because currently 'kinit -E
ipauser@IPA.DOMAIN' does not work.

Please note that the full principal must be used with kinit in this case
because when just using

     kinit -E ipauser

kinit is smart enough to see that it makes no sense to add the
default_realm twice and internally just does 'kinit ipauser@IPA.DOMAIN'.

If you think this test is better suited in a different test plan please
let me know, then I'll ask there.

bye,
Sumit
Hi Sumit,

this test should be covered in basic trust test suite, but I think it's not in the code of the test (I was busy with providing coverage for new features and didn't manage to go through old coverage). I'll check this and update ASAP.

Thanks for catching it!
Lenka


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to