On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote:
> Hello list,
> I have put together a draft of design page describing server-side 
> implementation of user short name -> fully-qualified name resolution.[1]
> In the end I have taken the liberty to change a few aspects of the 
> design we have agreed on before and I will be grad if we can discuss 
> them further.
> Me and Honza have discussed the object that should hold the domain 
> resolution order and given the fact that IPA domain can also be a part 
> of this list, we have decided that this information is no longer bound 
> to trust configuration and should be a part of the global config instead.
> Also we have purposefully cut down the API only to a raw manipulation of 
> the attribute using an option of `ipa config-mod`. The reasons for this 
> are twofold:
>    * the developer resources are quite scarce and it may be good to 
> follow YAGNI[2] principle to implement the dumbest API now and not to 
> invest into more high-level interface unless there is a demand for it
>    * we can imagine that the manipulation of the domain resolution order 
> is a rare operation (ideally only once all trusts are established), so I 
> am not convinced that it is worth investing into designing higher-level API
> I propose we first develop the "dumber" parts first to unblock the SSSD 
> part. If we have spare cycle afterwards then we can design and implement 
> more bells-and-whistles afterwards.
> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names
> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it

Thank you Martin,
this is a good initial proposal.

I have a few issues with this design:
- It conflates the idea of ordering with the idea of shortening user
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently

The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
just use ipaConfigString with an agreed syntax like:
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd

The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately

The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
setting applicable to just a host group makes sense:
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting

This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to