On Tue, May 28, 2013 at 03:11:20PM -0400, Dmitri Pal wrote:
On 05/28/2013 07:20 AM, Sumit Bose wrote:
> Hi,
>
> I have created a design page for one of the next major features of SSSD
> at
https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode . The
> basic idea is that if SSSD is running on a FreeIPA server it should help
> the FreeIPA server to look up users and groups from trusted domains.
>
> For your convenience the content can be found below as well.
>
> Comments are suggestions are welcome.
>
> bye,
> Sumit
>
...
The ipa_server_mode should be IMO a bit more sophisticated.
It should not do anything until it sees that IPA participates in any
trust relationship with AD. AFAIU there are ways on the SSSD side to
detect that there is a trust added on IPA side.
So the logic should be something like:
if ipa_server_mode = false then we are on a client, no change
else
if we already detected that there is at least one trusted domain
continue with the logic described above
else
when there is a request for the user check if any trusts are
available
if they are set the flag that the trusts are detected and execute
the logic
else behave as if ipa_server_mode is false
This is basically already the case because the nss provider will only forward
requests for known trusted domains.
Nevertheless I think you raised a good point for the enumeration task. I
just thought that after startup it regularly looks if there are trusted
domains. But it would be better if it stops if it cannot find any and
will be restarted as soon as trusted domains are discovered.
bye,
Sumit
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel