Re: [Freeipa-devel] [PATCH 0030] Add option to specify SID using domain name to idrange-add/mod

Thu, 14 Feb 2013 01:05:59 -0800 

On 02/12/2013 06:58 PM, Petr Vobornik wrote:

On 02/04/2013 05:23 PM, Tomas Babej wrote:

Hi,

When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and therefore the user is not required
to write it down in CLI. If the lookup fails, error message
asking the user to specify the SID manually is shown.

https://fedorahosted.org/freeipa/ticket/3133

Tomas
Just wondering: How bad would it be to not introduce new virtual attribute and just use the ipanttrusteddomainsid. On add and mod (when ipanttrusteddomainsid is set) we would check if ipanttrusteddomainsid is SID. If not, it would be treated as domain name and get_trusted_domain_sid_from_name method will be used to get the SID.
I'm asking because I don't really like virtual and standard attributes for the same ldap attribute in a mod command. In WEB UI details page we have to display only one field - ipanttrusteddomainsid. 

So we are left with options:
  1) do not use this feature for mod operations in Web UI
2) enter domain name in ipanttrusteddomainsid field, implement the aforementioned check in Web UI and fill the correct option in RPC request 3) add special action into action list which will open new dialog, user will enter domain name, mod command with ipanttrusteddomainname set will be executed on confirmation 
  4) some other method
I don't really like any of the options. If a SID check is an easy operation, we can go with #2, but I would still rather see this logic in server plugin.
Just for the record, after a short discussion with Petr we decided to keep the virtual attribute ipatrustedomainname as it is. The idea of having ipatrusteddomainsid do two different things seems rather confusing, and in the end would be probably less user-friendly. In the WebUI, user should be able to enter SID using either domain name or domain SID. The proposal is that user would be able to either modify domain SID or enter domain name (and therefore modify SID). 

Tomas

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to