On ke, 01 maalis 2017, David Kupka wrote:
On Tue, Feb 28, 2017 at 02:48:02PM +0200, Alexander Bokovoy wrote:
On ti, 28 helmi 2017, Martin Babinsky wrote:
> Hello list,
> I have put together a draft of design page describing server-side
> implementation of user short name -> fully-qualified name resolution.
> In the end I have taken the liberty to change a few aspects of the
> design we have agreed on before and I will be grad if we can discuss
> them further.
> Me and Honza have discussed the object that should hold the domain
> resolution order and given the fact that IPA domain can also be a part
> of this list, we have decided that this information is no longer bound
> to trust configuration and should be a part of the global config
> Also we have purposefully cut down the API only to a raw manipulation of
> the attribute using an option of `ipa config-mod`. The reasons for this
> are twofold:
> * the developer resources are quite scarce and it may be good to follow
> YAGNI principle to implement the dumbest API now and not to invest
> into more high-level interface unless there is a demand for it
> * we can imagine that the manipulation of the domain resolution order
> is a rare operation (ideally only once all trusts are established), so I
> am not convinced that it is worth investing into designing higher-level
> I propose we first develop the "dumber" parts first to unblock the SSSD
> part. If we have spare cycle afterwards then we can design and implement
> more bells-and-whistles afterwards.
Looks mostly OK, but there are few comments I have:
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then  does explicitly say space is not
allowed in AD domain names.
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
Would it make sense to add ipaDomainResolutionOrder attribute during upgrade
with the FreeIPA domain and have the behavior as proposed? That would ensure
that users will be resolved the same way as before unless someone changes the
I'm not sure it changes anything. Newer SSSD still needs to handle cases when
talking to servers which has no ipaDomainResolutionOrder attribute so
they would treat missing attribute the same way which means we don't
need to handle upgrade here.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code