On 03/01/2017 03:42 PM, Simo Sorce wrote:
On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote:
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
Thank you Martin,
this is a good initial proposal.
I have a few issues with this design:
- It conflates the idea of ordering with the idea of shortening user
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
just use ipaConfigString with an agreed syntax like:
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
If the admin wishes old servers to server new clients this information,
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest. Yes, the management CLI
will not be available on the old masters but that is the case of new
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
setting applicable to just a host group makes sense:
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code