Discussion:
[Freeipa-devel] Please review: V4/AD user short names design draft
Martin Babinsky
2017-02-28 12:29:50 UTC
Permalink
Hello list,

I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]

In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.

Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.

Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
are twofold:

* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it

* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API

I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.

[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-02-28 12:48:02 UTC
Permalink
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name
resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution
order is a rare operation (ideally only once all trusts are
established), so I am not convinced that it is worth investing into
designing higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
Looks mostly OK, but there are few comments I have:

- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.

- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.

- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.

- There are typos in the page.

[1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
David Kupka
2017-03-01 08:53:39 UTC
Permalink
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to follow
YAGNI[2] principle to implement the dumbest API now and not to invest
into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
Would it make sense to add ipaDomainResolutionOrder attribute during upgrade
with the FreeIPA domain and have the behavior as proposed? That would ensure
that users will be resolved the same way as before unless someone changes the
attribute.
Post by Alexander Bokovoy
- There are typos in the page.
[1] https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous
--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
David Kupka
Alexander Bokovoy
2017-03-01 08:57:18 UTC
Permalink
Post by David Kupka
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to follow
YAGNI[2] principle to implement the dumbest API now and not to invest
into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
Would it make sense to add ipaDomainResolutionOrder attribute during upgrade
with the FreeIPA domain and have the behavior as proposed? That would ensure
that users will be resolved the same way as before unless someone changes the
attribute.
I'm not sure it changes anything. Newer SSSD still needs to handle cases when
talking to servers which has no ipaDomainResolutionOrder attribute so
they would treat missing attribute the same way which means we don't
need to handle upgrade here.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-01 12:39:04 UTC
Permalink
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
The validation is described in a Design section as follows:

"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""

Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Post by Alexander Bokovoy
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.

The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.

If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).

That is however open to discussion and I think we can even get away from
this by letting SSSD guys to decide how to handle this case.
Post by Alexander Bokovoy
- There are typos in the page.
I know there was not much proofreading involved in this iteration. I
have already tried to fix them.
Post by Alexander Bokovoy
[1]
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jan Cholasta
2017-03-01 13:04:26 UTC
Permalink
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Actually I would prefer something else than whitespace as a separator. A
':' maybe?
Post by Martin Babinsky
Post by Alexander Bokovoy
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.
If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).
It doesn't have to be literally empty (LDAP character string syntaxes
don't allow it anyway IIRC), there can be a value which denotes an empty
list of domain (e.g. the separator alone).
Post by Martin Babinsky
That is however open to discussion and I think we can even get away from
this by letting SSSD guys to decide how to handle this case.
Post by Alexander Bokovoy
- There are typos in the page.
I know there was not much proofreading involved in this iteration. I
have already tried to fix them.
Post by Alexander Bokovoy
[1]
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-01 13:05:26 UTC
Permalink
Post by Jan Cholasta
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Actually I would prefer something else than whitespace as a separator.
A ':' maybe?
or ',' or ';'. Any would work.
Post by Jan Cholasta
Post by Martin Babinsky
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.
If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).
It doesn't have to be literally empty (LDAP character string syntaxes
don't allow it anyway IIRC), there can be a value which denotes an
empty list of domain (e.g. the separator alone).
I don't see *why* there should be this distinction. The deciding party
is SSSD. Whether this attirbute exists and empty or does not exist at
all does not change anything. Changing how SSSD interprets own defaults
depending on absense or emptiness of certain attribute in IPA config
object is not user friendly at all.

SSSD default behavior should stay the same whether it finds missing or
empty attribute because the attribute will not be known to older SSSD
anyway. Missing or empty attribute should, in my opinion, be equal to
older SSSD behavior.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jan Cholasta
2017-03-01 13:41:57 UTC
Permalink
Post by Alexander Bokovoy
Post by Jan Cholasta
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name
resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Actually I would prefer something else than whitespace as a separator.
A ':' maybe?
or ',' or ';'. Any would work.
Post by Jan Cholasta
Post by Martin Babinsky
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.
If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).
It doesn't have to be literally empty (LDAP character string syntaxes
don't allow it anyway IIRC), there can be a value which denotes an
empty list of domain (e.g. the separator alone).
I don't see *why* there should be this distinction. The deciding party
is SSSD. Whether this attirbute exists and empty or does not exist at
all does not change anything. Changing how SSSD interprets own defaults
depending on absense or emptiness of certain attribute in IPA config
object is not user friendly at all.
SSSD default behavior should stay the same whether it finds missing or
empty attribute because the attribute will not be known to older SSSD
anyway. Missing or empty attribute should, in my opinion, be equal to
older SSSD behavior.
"No value is set in configuration => use built-in default / some value
is set configuration => use the value" is perfectly user friendly and
pretty much common virtually everywhere I believe, much more so than
"empty value is set in configuration => ignore the value even if the
user deliberately set it empty and use the default value instead".
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-01 13:58:07 UTC
Permalink
Post by Jan Cholasta
Post by Alexander Bokovoy
Post by Jan Cholasta
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name
resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Actually I would prefer something else than whitespace as a separator.
A ':' maybe?
or ',' or ';'. Any would work.
Post by Jan Cholasta
Post by Martin Babinsky
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.
If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).
It doesn't have to be literally empty (LDAP character string syntaxes
don't allow it anyway IIRC), there can be a value which denotes an
empty list of domain (e.g. the separator alone).
I don't see *why* there should be this distinction. The deciding party
is SSSD. Whether this attirbute exists and empty or does not exist at
all does not change anything. Changing how SSSD interprets own defaults
depending on absense or emptiness of certain attribute in IPA config
object is not user friendly at all.
SSSD default behavior should stay the same whether it finds missing or
empty attribute because the attribute will not be known to older SSSD
anyway. Missing or empty attribute should, in my opinion, be equal to
older SSSD behavior.
"No value is set in configuration => use built-in default / some value
is set configuration => use the value" is perfectly user friendly and
pretty much common virtually everywhere I believe, much more so than
"empty value is set in configuration => ignore the value even if the
user deliberately set it empty and use the default value instead".
I'm not arguing with "no value is set in configuration -> use built-in
default". I do argue on having empty but present attribute because it
does not add anything useful for SSSD to decide on. And as it is not
adding anything useful, why there should be such difference at all?

This is the only question open I see in this design.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jan Cholasta
2017-03-02 07:57:23 UTC
Permalink
Post by Alexander Bokovoy
Post by Jan Cholasta
Post by Alexander Bokovoy
Post by Jan Cholasta
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw
manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are
established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that you
cited, that's why I have arrived to the conclusion to use
whitespace as
separator. Jakub/Fabiano, is this ok with the way SSSD decodes domain
names or should we consider other options to avoid breakage with more
exotic domain names?
Actually I would prefer something else than whitespace as a separator.
A ':' maybe?
or ',' or ';'. Any would work.
Post by Jan Cholasta
Post by Martin Babinsky
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will not
retrieve it and this signals that it should continue operate in usual way.
If the attribute is present but is empty, the semantics change slightly
as now we consider *no* domains during short name resolution (extension
of the missing domain behavior to the case of all domains are missing
from list).
It doesn't have to be literally empty (LDAP character string syntaxes
don't allow it anyway IIRC), there can be a value which denotes an
empty list of domain (e.g. the separator alone).
I don't see *why* there should be this distinction. The deciding party
is SSSD. Whether this attirbute exists and empty or does not exist at
all does not change anything. Changing how SSSD interprets own defaults
depending on absense or emptiness of certain attribute in IPA config
object is not user friendly at all.
SSSD default behavior should stay the same whether it finds missing or
empty attribute because the attribute will not be known to older SSSD
anyway. Missing or empty attribute should, in my opinion, be equal to
older SSSD behavior.
"No value is set in configuration => use built-in default / some value
is set configuration => use the value" is perfectly user friendly and
pretty much common virtually everywhere I believe, much more so than
"empty value is set in configuration => ignore the value even if the
user deliberately set it empty and use the default value instead".
I'm not arguing with "no value is set in configuration -> use built-in
default". I do argue on having empty but present attribute because it
does not add anything useful for SSSD to decide on. And as it is not
adding anything useful, why there should be such difference at all?
This is the only question open I see in this design.
The list does not have to contain all available domains, therefore it
can also be empty. When a domain is not present in the list, a fully
qualified name must be used for users in that domain, therefore when the
list is empty, fully qualified name must be used for users in all domains.

This might be useful to someone, and even if it wasn't, I still don't
think it warrants making a (IMO counter-intuitive) special case out of
the empty list.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-02 08:06:01 UTC
Permalink
Post by Jan Cholasta
Post by Alexander Bokovoy
Post by Jan Cholasta
"No value is set in configuration => use built-in default / some value
is set configuration => use the value" is perfectly user friendly and
pretty much common virtually everywhere I believe, much more so than
"empty value is set in configuration => ignore the value even if the
user deliberately set it empty and use the default value instead".
I'm not arguing with "no value is set in configuration -> use built-in
default". I do argue on having empty but present attribute because it
does not add anything useful for SSSD to decide on. And as it is not
adding anything useful, why there should be such difference at all?
This is the only question open I see in this design.
The list does not have to contain all available domains, therefore it
can also be empty. When a domain is not present in the list, a fully
qualified name must be used for users in that domain, therefore when
the list is empty, fully qualified name must be used for users in all
domains.
This might be useful to someone, and even if it wasn't, I still don't
think it warrants making a (IMO counter-intuitive) special case out of
the empty list.
I'm confused. I don't want to make this distinction between a missing
attribute and an empty one. You appear to be following the same path.
What we are arguing about then?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-01 13:00:35 UTC
Permalink
Post by Martin Babinsky
Alexander,
Post by Alexander Bokovoy
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation
of the attribute using an option of `ipa config-mod`. The reasons for
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so
I am not convinced that it is worth investing into designing
higher-level API
I propose we first develop the "dumber" parts first to unblock the
SSSD part. If we have spare cycle afterwards then we can design and
implement more bells-and-whistles afterwards.
- I do not see you mention how validation of the
ipaDomainResolutionOrder is done. This is important to avoid hard to
debug issues because SSSD will ignore domains it doesn't know about.
"""
Finally, any modification of the domain resolution order must ensure
that each of the specified domain names corresponds either to that of
FreeIPA domain or to one of the trusted AD domains stored in LDAP
backend. In the case of trusted domains, the domain must not be marked
as disabled.
"""
Is this sufficient or is a more thorough validation required? Shall I
split the whole section into sub-sections for easier navigation?
I think it would be good to increase visibility by making subsections.

However, I'd like to spell it out that trusted forest root domain is
also verified on the list. We have trusts structured hierarchically,
this means both levels have to be checked.
Post by Martin Babinsky
Post by Alexander Bokovoy
- Space separator initially caused me to look up DNS RFCs as strictly
speaking domain names can contain any 8-bit octet (while host names
should follow LDH rule). But then [1] does explicitly say space is not
allowed in AD domain names.
I have discussed this with Jan and consulted the same document that
you cited, that's why I have arrived to the conclusion to use
whitespace as separator. Jakub/Fabiano, is this ok with the way SSSD
decodes domain names or should we consider other options to avoid
breakage with more exotic domain names?
Post by Alexander Bokovoy
- "If ipaDomainResolutionOrder is empty then *all* users must use fully
qualified names." This is not correct with regards to the current
behavior. I think we should change this to "if
ipaDomainResolutionOrder is empty, then standard SSSD configuration
logic applies on each client." This would make current behavior
compatible with either empty or ipaDomainResolutionOrder value of
a single IPA domain name.
I have considered a empty attribute value to be a distinct state from
the missing attribute and assigned a different semantic meaning to it.
The reasoning is as follows: if the attribute is not set, SSSD will
not retrieve it and this signals that it should continue operate in
usual way.
If the attribute is present but is empty, the semantics change
slightly as now we consider *no* domains during short name resolution
(extension of the missing domain behavior to the case of all domains
are missing from list).
I'd rather avoid making this distinction. You always can override things
on SSSD side and default on SSSD side is to *not* use fully qualified
domain names for a domain.

I don't think we have any use case of having all domains with fully
qualified names. Even in case of NFS and sss_rpcidmapd, SSSD will
happily handle both non-fully qualified names and fully qualified ones.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-01 14:42:07 UTC
Permalink
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.

I have a few issues with this design:
- It conflates the idea of ordering with the idea of shortening user
names
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently

The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
just use ipaConfigString with an agreed syntax like:
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd

The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.


The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
setting applicable to just a host group makes sense:
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.

This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-01 15:17:13 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.

If the admin wishes old servers to server new clients this information,
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest. Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-01 15:32:21 UTC
Permalink
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.

It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-01 15:47:15 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Such demand was not made clear during previous discussions and was not
mentioned by SSSD guys either AFAIK.
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Well consider client doing a) retrieve ipaDomainResolutionOrder and
split it by delimiter, or b) retrieve values of ipaConfigString, iterate
until you find one that starts with "Domains Use Short Name list:",
strip off the rest of the value and split it by delimiter.

I just feel anything involving 'ipaConfigString' leads to design smell,
sorry. Yes it is my personal opinion but I think there are more people
sharing it. If not, I am happy to hear counterarguments.
Post by Simo Sorce
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
There is plenty of features not available to deplyments with RHEL6
masters, I simply fail to see why this one should be special.
Post by Simo Sorce
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-01 16:04:52 UTC
Permalink
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Such demand was not made clear during previous discussions and was not
mentioned by SSSD guys either AFAIK.
I guess this is why we do reviews :-)
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Well consider client doing a) retrieve ipaDomainResolutionOrder and
split it by delimiter, or b) retrieve values of ipaConfigString, iterate
until you find one that starts with "Domains Use Short Name list:",
strip off the rest of the value and split it by delimiter.
I do not see any problem with this.
Post by Martin Babinsky
I just feel anything involving 'ipaConfigString' leads to design smell,
sorry. Yes it is my personal opinion but I think there are more people
sharing it. If not, I am happy to hear counterarguments.
I am asking why, can you bring some evidence ?
I am all about feelings, they are important, but I want data to make a
decision.
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
There is plenty of features not available to deplyments with RHEL6
masters, I simply fail to see why this one should be special.
It is not that it is special, my problem with that statement is that you
assume that it is easy to upgrade servers. It is not, and decisions
based on that assumption end up being very bad decisions for our users.
So please do not ever assume that our users can "just upgrade one of
their replicas".
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-01 16:28:57 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Adding the same attribute to ID View and to ipaConfig sounds logical to
me.

Martin, if you want help with this, I can implement ID View-related
parts. SSSD does have code to retrieve ipaConfig already, and it also
has support for reading ID View associated with the host. The resulting
value wouldn't end up in the same place, though, but this is something
to handle on SSSD side.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-02 07:12:04 UTC
Permalink
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Adding the same attribute to ID View and to ipaConfig sounds logical to
me.
Martin, if you want help with this, I can implement ID View-related
parts. SSSD does have code to retrieve ipaConfig already, and it also
has support for reading ID View associated with the host. The resulting
value wouldn't end up in the same place, though, but this is something
to handle on SSSD side.
I was thinking about this at night (insomnia FTW) and it is actually
pretty easy to extend ID view with the same attribute (see my other
reply to Simo). Given the UI will be pretty dumb, we just can add the
new attribute to the ID view object and a common code will be
responsible for validation of changed values.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jakub Hrozek
2017-03-02 09:25:36 UTC
Permalink
This post might be inappropriate. Click to display it.
Martin Babinsky
2017-03-02 13:47:24 UTC
Permalink
Post by Jakub Hrozek
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Adding the same attribute to ID View and to ipaConfig sounds logical to
me.
Martin, if you want help with this, I can implement ID View-related
parts. SSSD does have code to retrieve ipaConfig already, and it also
has support for reading ID View associated with the host. The resulting
value wouldn't end up in the same place, though, but this is something
to handle on SSSD side.
I was thinking about this at night (insomnia FTW) and it is actually pretty
easy to extend ID view with the same attribute (see my other reply to Simo).
Given the UI will be pretty dumb, we just can add the new attribute to the
ID view object and a common code will be responsible for validation of
changed values.
(I'm sorry to come late to the discussion, but I spent yesterday
debugging a nasty issue in SSSD and my brain wasn't working anymore)
To be honest, I haven't heard about users requesting to set the feature
per-host. Most were interested in a global setting and given the short time
before the next release, I thought for users who need a per-client solution,
a local sssd.conf modification could also work, also considering that the
/only/ solution so far was to modify sssd.conf with the default_domain_suffix
hack.
On the other hand, I see Simo's point about easy migration to this new
setting and easier tinkering with the option if it's possible to set
this per-view. And more importantly, I'm quite sure someone /will/ ask to
set this centrally, but per host(group) eventually.
So as long as the final design is a) extendable to provide a per-host
setting in the future, even if that part is not implemented in this version
in the UI or not used by the clients immediatelly and b) it's easy for
clients to consume this setting, I'm fine.
I'm afraid I can't comment on the ipaConfig issues and the replication
concerns as I'm not that proficient with IPA internals..
If we introduce a new objectclass providing the attribute, we may then
easily extend IDView object by it (or any other object for that matter)
and fix the plugin code so that it can be set by framework, it is easy.

If you all agree that this is the way we want to move forward with this
project, I can update the design page and start implementing stuff. We
need to decide quicky, time is short.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jakub Hrozek
2017-03-02 15:11:41 UTC
Permalink
Post by Martin Babinsky
Post by Jakub Hrozek
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Adding the same attribute to ID View and to ipaConfig sounds logical to
me.
Martin, if you want help with this, I can implement ID View-related
parts. SSSD does have code to retrieve ipaConfig already, and it also
has support for reading ID View associated with the host. The resulting
value wouldn't end up in the same place, though, but this is something
to handle on SSSD side.
I was thinking about this at night (insomnia FTW) and it is actually pretty
easy to extend ID view with the same attribute (see my other reply to Simo).
Given the UI will be pretty dumb, we just can add the new attribute to the
ID view object and a common code will be responsible for validation of
changed values.
(I'm sorry to come late to the discussion, but I spent yesterday
debugging a nasty issue in SSSD and my brain wasn't working anymore)
To be honest, I haven't heard about users requesting to set the feature
per-host. Most were interested in a global setting and given the short time
before the next release, I thought for users who need a per-client solution,
a local sssd.conf modification could also work, also considering that the
/only/ solution so far was to modify sssd.conf with the default_domain_suffix
hack.
On the other hand, I see Simo's point about easy migration to this new
setting and easier tinkering with the option if it's possible to set
this per-view. And more importantly, I'm quite sure someone /will/ ask to
set this centrally, but per host(group) eventually.
So as long as the final design is a) extendable to provide a per-host
setting in the future, even if that part is not implemented in this version
in the UI or not used by the clients immediatelly and b) it's easy for
clients to consume this setting, I'm fine.
I'm afraid I can't comment on the ipaConfig issues and the replication
concerns as I'm not that proficient with IPA internals..
If we introduce a new objectclass providing the attribute, we may then
easily extend IDView object by it (or any other object for that matter) and
fix the plugin code so that it can be set by framework, it is easy.
If you all agree that this is the way we want to move forward with this
project, I can update the design page and start implementing stuff. We need
to decide quicky, time is short.
This sounds good to me from purely the client perspective, but I'm
hardly the best person to decide IPA server-side design questions.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-02 15:43:17 UTC
Permalink
Post by Jakub Hrozek
Post by Martin Babinsky
Post by Jakub Hrozek
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Adding the same attribute to ID View and to ipaConfig sounds logical to
me.
Martin, if you want help with this, I can implement ID View-related
parts. SSSD does have code to retrieve ipaConfig already, and it also
has support for reading ID View associated with the host. The resulting
value wouldn't end up in the same place, though, but this is something
to handle on SSSD side.
I was thinking about this at night (insomnia FTW) and it is actually pretty
easy to extend ID view with the same attribute (see my other reply to Simo).
Given the UI will be pretty dumb, we just can add the new attribute to the
ID view object and a common code will be responsible for validation of
changed values.
(I'm sorry to come late to the discussion, but I spent yesterday
debugging a nasty issue in SSSD and my brain wasn't working anymore)
To be honest, I haven't heard about users requesting to set the feature
per-host. Most were interested in a global setting and given the short time
before the next release, I thought for users who need a per-client solution,
a local sssd.conf modification could also work, also considering that the
/only/ solution so far was to modify sssd.conf with the default_domain_suffix
hack.
On the other hand, I see Simo's point about easy migration to this new
setting and easier tinkering with the option if it's possible to set
this per-view. And more importantly, I'm quite sure someone /will/ ask to
set this centrally, but per host(group) eventually.
So as long as the final design is a) extendable to provide a per-host
setting in the future, even if that part is not implemented in this version
in the UI or not used by the clients immediatelly and b) it's easy for
clients to consume this setting, I'm fine.
I'm afraid I can't comment on the ipaConfig issues and the replication
concerns as I'm not that proficient with IPA internals..
If we introduce a new objectclass providing the attribute, we may then
easily extend IDView object by it (or any other object for that matter) and
fix the plugin code so that it can be set by framework, it is easy.
If you all agree that this is the way we want to move forward with this
project, I can update the design page and start implementing stuff. We need
to decide quicky, time is short.
This sounds good to me from purely the client perspective, but I'm
hardly the best person to decide IPA server-side design questions.
That's ok, the thing is that you will be consuming this information so
we should try our best to make you happy :).
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-01 16:29:39 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Such demand was not made clear during previous discussions and was not
mentioned by SSSD guys either AFAIK.
I guess this is why we do reviews :-)
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Well consider client doing a) retrieve ipaDomainResolutionOrder and
split it by delimiter, or b) retrieve values of ipaConfigString, iterate
until you find one that starts with "Domains Use Short Name list:",
strip off the rest of the value and split it by delimiter.
I do not see any problem with this.
I disagree,

ipaConfigString evokes that this is IPA configuration, but AFAIK the
SSSD is the consumer of data and it is unrelated to configuration of IPA
server. If you plan to extend usage of 'ipaDomainResolutionOrder' to
more entries than one, then is better to have separate attribute that
allows better LDAP searches (debugging, support).
Why SSSD instead of downloading the exact attribute content should do a
parsing of messy values that can be inside ipaConfigString?

Why we suddenly plan to support older servers with a new feature? In
past access to new features required to upgrade freeipa, why we should
increase complexity of code and ldap searches? Any plugin that involve
ipaConfingString must be handled in special way, we basically cannot use
framework defaults -> increases bugs, devel time, prone to future
regressions. So in future when we implement UI for this we will suffer.

ipaConfigString is multivalued attribute, domains basically have to be
only one string to keep order (single value attribute) => additional
complications on both SSSD side and IPA framework side if somebody set
domain order as multiple values instead one. With single valued
attribute this is handled by free by LDAP.

Even for users is more natural to set string of domains to one attribute
instead of adding a new value with a special prefix and list domain to
multivalued attribute, the second is more error prone with worse UX.

I would like to have clean design, separate attributes for separate
features, otherwise we can just create ipaUltimateAtr and put JSON inside.

Martin^2
Post by Simo Sorce
Post by Martin Babinsky
I just feel anything involving 'ipaConfigString' leads to design smell,
sorry. Yes it is my personal opinion but I think there are more people
sharing it. If not, I am happy to hear counterarguments.
I am asking why, can you bring some evidence ?
I am all about feelings, they are important, but I want data to make a
decision.
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
There is plenty of features not available to deplyments with RHEL6
masters, I simply fail to see why this one should be special.
It is not that it is special, my problem with that statement is that you
assume that it is easy to upgrade servers. It is not, and decisions
based on that assumption end up being very bad decisions for our users.
So please do not ever assume that our users can "just upgrade one of
their replicas".
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Simo.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-01 16:51:26 UTC
Permalink
Post by Martin Basti
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Such demand was not made clear during previous discussions and was not
mentioned by SSSD guys either AFAIK.
I guess this is why we do reviews :-)
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Well consider client doing a) retrieve ipaDomainResolutionOrder and
split it by delimiter, or b) retrieve values of ipaConfigString, iterate
until you find one that starts with "Domains Use Short Name list:",
strip off the rest of the value and split it by delimiter.
I do not see any problem with this.
I disagree,
ipaConfigString evokes that this is IPA configuration, but AFAIK the
SSSD is the consumer of data and it is unrelated to configuration of IPA
server. If you plan to extend usage of 'ipaDomainResolutionOrder' to
more entries than one, then is better to have separate attribute that
allows better LDAP searches (debugging, support).
Why SSSD instead of downloading the exact attribute content should do a
parsing of messy values that can be inside ipaConfigString?
Why we suddenly plan to support older servers with a new feature? In
past access to new features required to upgrade freeipa, why we should
increase complexity of code and ldap searches? Any plugin that involve
ipaConfingString must be handled in special way, we basically cannot use
framework defaults -> increases bugs, devel time, prone to future
regressions. So in future when we implement UI for this we will suffer.
ipaConfigString is multivalued attribute, domains basically have to be
only one string to keep order (single value attribute) => additional
complications on both SSSD side and IPA framework side if somebody set
domain order as multiple values instead one. With single valued
attribute this is handled by free by LDAP.
Even for users is more natural to set string of domains to one attribute
instead of adding a new value with a special prefix and list domain to
multivalued attribute, the second is more error prone with worse UX.
I would like to have clean design, separate attributes for separate
features, otherwise we can just create ipaUltimateAtr and put JSON inside.
Given we are now talking about an attribute to reuse in multiple
objectclasss I tend to agree with all these points, my initial comments
on this were related to the single global option case.

Simo.

Martin^2
Post by Martin Basti
Post by Simo Sorce
Post by Martin Babinsky
I just feel anything involving 'ipaConfigString' leads to design smell,
sorry. Yes it is my personal opinion but I think there are more people
sharing it. If not, I am happy to hear counterarguments.
I am asking why, can you bring some evidence ?
I am all about feelings, they are important, but I want data to make a
decision.
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
There is plenty of features not available to deplyments with RHEL6
masters, I simply fail to see why this one should be special.
It is not that it is special, my problem with that statement is that you
assume that it is easy to upgrade servers. It is not, and decisions
based on that assumption end up being very bad decisions for our users.
So please do not ever assume that our users can "just upgrade one of
their replicas".
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-02 07:10:54 UTC
Permalink
Post by Simo Sorce
Post by Martin Basti
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
Thank you Martin,
this is a good initial proposal.
- It conflates the idea of ordering with the idea of shortening user
names
I fail to see where the conflation takes place. The ordered list is
stored on the server. The client then uses it to expand short names. I
guess I am just missing something.
The attribute is called ipaNTDomainResolutionOrder, nothing in that
attribute says anything about making names become short names.
If it were ipaNTShortNameDomainResolutionOrder then it would be
specific, as it is it seem just to refer to the order in which domain
are resolved, but that is somethign we want in order to determine which
domains SSSD is going to make use short names too, not just the order in
which domains are resolved.
I hope this makes it clearer.
Post by Martin Babinsky
Post by Simo Sorce
- It allows only for one setting for all the machines, no way to treat
different groups of machines differently
Yes it was discussed that the setting will be global. I would implement
local overrides only when there is a demand for the feature given
development time is short.
Demand is immediate, and it is obvious IMO.
Such demand was not made clear during previous discussions and was not
mentioned by SSSD guys either AFAIK.
I guess this is why we do reviews :-)
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
The first one is probably just a matter of using a more specific name
for the new attribute, or, perhaps not use a new attribute at all but
ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
The side effect of using ipaConfigString is that we can set this on
older servers too, so people do not have to upgrade their servers to use
this. Old servers will not have any validation, but that is ok, sssd
must be prepared to receive a bad list and deal with it appropriately
anyway.
No more 'ipaConfigString' attribute values, please. Me and everyone else
fixing e.g. replication issues can relate to the pain of doing CRUD
operations involving them.
ipaConfigString was devised explicitly so that configuration options
could be added without replication issues because the string can be
accepted by any server version.
So what replication issues are there ?
What has CRUD to do with it ?
Well consider client doing a) retrieve ipaDomainResolutionOrder and
split it by delimiter, or b) retrieve values of ipaConfigString, iterate
until you find one that starts with "Domains Use Short Name list:",
strip off the rest of the value and split it by delimiter.
I do not see any problem with this.
I disagree,
ipaConfigString evokes that this is IPA configuration, but AFAIK the
SSSD is the consumer of data and it is unrelated to configuration of IPA
server. If you plan to extend usage of 'ipaDomainResolutionOrder' to
more entries than one, then is better to have separate attribute that
allows better LDAP searches (debugging, support).
Why SSSD instead of downloading the exact attribute content should do a
parsing of messy values that can be inside ipaConfigString?
Why we suddenly plan to support older servers with a new feature? In
past access to new features required to upgrade freeipa, why we should
increase complexity of code and ldap searches? Any plugin that involve
ipaConfingString must be handled in special way, we basically cannot use
framework defaults -> increases bugs, devel time, prone to future
regressions. So in future when we implement UI for this we will suffer.
ipaConfigString is multivalued attribute, domains basically have to be
only one string to keep order (single value attribute) => additional
complications on both SSSD side and IPA framework side if somebody set
domain order as multiple values instead one. With single valued
attribute this is handled by free by LDAP.
Even for users is more natural to set string of domains to one attribute
instead of adding a new value with a special prefix and list domain to
multivalued attribute, the second is more error prone with worse UX.
I would like to have clean design, separate attributes for separate
features, otherwise we can just create ipaUltimateAtr and put JSON inside.
Given we are now talking about an attribute to reuse in multiple
objectclasss I tend to agree with all these points, my initial comments
on this were related to the single global option case.
Simo.
Martin^2
Post by Martin Basti
Post by Simo Sorce
Post by Martin Babinsky
I just feel anything involving 'ipaConfigString' leads to design smell,
sorry. Yes it is my personal opinion but I think there are more people
sharing it. If not, I am happy to hear counterarguments.
I am asking why, can you bring some evidence ?
I am all about feelings, they are important, but I want data to make a
decision.
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
If the admin wishes old servers to server new clients this information,
They do not "wish", this is pretty much what happens all the time ...
Post by Martin Babinsky
all he has to do is upgrade a single replica, set the attribute value
there and let replication take care of the rest.
Come on, really ?
If you have RHEL6 it is not a matter of "simply" upgrading a single
replica, it means upgrade of the whole infrastructure ...
There is plenty of features not available to deplyments with RHEL6
masters, I simply fail to see why this one should be special.
It is not that it is special, my problem with that statement is that you
assume that it is easy to upgrade servers. It is not, and decisions
based on that assumption end up being very bad decisions for our users.
So please do not ever assume that our users can "just upgrade one of
their replicas".
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Yes, the management CLI
will not be available on the old masters but that is the case of new
features anyway.
I do not think we need any management UI in the short term to be honest,
just a way to set a string.
That will cut most development time that can be spent instead on dealing
with allowing smaller groups of machines to be affected instead.
Post by Martin Babinsky
Post by Simo Sorce
The second one is something we *may* address later, and use the setting
in cn=ipaConfig as a default, but there are two reasons why I think a
- it allows to test the setting on a small set of machines to see if
everything works right, this is going to be especially important on
existing setups, where people do not want to risk all machines
misbehaving at once if something goes wrong.
- it allows to migrate machines slowly, in some cases people may need to
change local files/application settings on machines if the usernames
change, so they may need a controlled roll out before changing a setting
globally.
This may achieved by adding this setting to an ID View for example, then
only hosts in that IDView would get this. Or a new object could be
created that has members, the former has the advantage of being already
in place and SSSD already downloads that data, the latter allows to
target an even smaller set of hosts unrelated to previous ID views
settings.
Simo.
That is an interesting proposal but I am afraid we may not get to
implement that during 4.5 development. I can certainly mention the
possibility in the design so that we can return to it when a need arises.
My take is: cut API/UI work, and do the underlying infrastructure work
for the widest set of serves/clients possible instead.
It is much more important to get the underlying gears done than to add
UI candy, that can be delayed.
Simo.
I agree, we just have to come to agreement of *which* gears are really
necessary.
Indeed, but adding attributes to ipaConfig and the ID Views is not hard,
it is a matter of extending two objectclasses instead of one ... if we
decide that Id Views are a good abstraction point.
Simo.
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-02 13:54:04 UTC
Permalink
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-06 06:47:36 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-06 12:48:40 UTC
Permalink
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-07 08:38:55 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
like to propose the following naming schema:

objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )

attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )

Let me know if you are ok with this or am I overengineering the names?

I would like to solve this quickly so that I can finish the design and
start implementation.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Simo Sorce
2017-03-07 14:14:05 UTC
Permalink
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
mouthful and also more easily recognizable:
My idea is:
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder

Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-07 14:34:42 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder
Sounds good to me.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-07 14:41:03 UTC
Permalink
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder
Sounds good to me.
--
/ Alexander Bokovoy
I am not sure about the relation of this to any policy, but I guess that is
just nitpicking.

I will wait awhile for others to object and then update design.
--
Martin Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-07 17:50:41 UTC
Permalink
Post by Martin Babinsky
Post by Alexander Bokovoy
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder
Sounds good to me.
--
/ Alexander Bokovoy
I am not sure about the relation of this to any policy, but I guess that is
just nitpicking.
I will wait awhile for others to object and then update design.
I agree to not use "policy" in the name
Martin^2
Jan Cholasta
2017-03-08 06:37:40 UTC
Permalink
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder
TBH I liked ipaDomainResolutionOrder the best, both
ipaNameQualificationDomainList and ipaFQDNCheckOrder sound
overengineered to me :-)

If ipaDomainResolutionOrder is not good enough, we could draw some
inspiration from resolv.conf and use e.g. ipaDomainSearchList.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-08 07:18:17 UTC
Permalink
Post by Jan Cholasta
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
Post by Simo Sorce
Post by Martin Babinsky
In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.
I agree.
Simo.
Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.
Try to describe what the option ultimately does with as few words as
possible.
Simo.
I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )
Let me know if you are ok with this or am I overengineering the names?
I would like to solve this quickly so that I can finish the design and
start implementation.
I was thinking that we can use acronyms here to make it less of a
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder
TBH I liked ipaDomainResolutionOrder the best, both
ipaNameQualificationDomainList and ipaFQDNCheckOrder sound overengineered to
me :-)
If ipaDomainResolutionOrder is not good enough, we could draw some
inspiration from resolv.conf and use e.g. ipaDomainSearchList.
--
Jan Cholasta
Sigh, naming stuff is always the hardest path.

As a compromise let's settle with the following:

* objectclass: ipaNameResolutionData
* attribute: ipaDomainSearchList

I will use these to update the design page. You can the objet during another
phase of review process.
--
Martin Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Babinsky
2017-03-08 09:30:18 UTC
Permalink
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the design we
have agreed on before and I will be grad if we can discuss them further.
Me and Honza have discussed the object that should hold the domain resolution
order and given the fact that IPA domain can also be a part of this list, we
have decided that this information is no longer bound to trust configuration
and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of the
attribute using an option of `ipa config-mod`. The reasons for this are
* the developer resources are quite scarce and it may be good to follow
YAGNI[2] principle to implement the dumbest API now and not to invest into
more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order is a
rare operation (ideally only once all trusts are established), so I am not
convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD part.
If we have spare cycle afterwards then we can design and implement more
bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
--
Martin^3 Babinsky
--
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
I have updated the design page[1] and incorporated most of the comments from all
reviewers. The most dramatic change is that I have expanded the discussion by
the possibility for overriding global domain resolution order by ID
view-specific settings. I have also expanded How-To section accordingly.

Please try to review and comment during today as the window for development is
quickly closing.

[1] http://www.freeipa.org/page/V4/AD_User_Short_Names
--
Martin Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Jan Cholasta
2017-03-08 10:02:15 UTC
Permalink
Post by Martin Babinsky
Post by Martin Babinsky
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the design we
have agreed on before and I will be grad if we can discuss them further.
Me and Honza have discussed the object that should hold the domain resolution
order and given the fact that IPA domain can also be a part of this list, we
have decided that this information is no longer bound to trust configuration
and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of the
attribute using an option of `ipa config-mod`. The reasons for this are
* the developer resources are quite scarce and it may be good to follow
YAGNI[2] principle to implement the dumbest API now and not to invest into
more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order is a
rare operation (ideally only once all trusts are established), so I am not
convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD part.
If we have spare cycle afterwards then we can design and implement more
bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
--
Martin^3 Babinsky
--
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
I have updated the design page[1] and incorporated most of the comments from all
reviewers. The most dramatic change is that I have expanded the discussion by
the possibility for overriding global domain resolution order by ID
view-specific settings. I have also expanded How-To section accordingly.
Please try to review and comment during today as the window for development is
quickly closing.
LGTM.
Post by Martin Babinsky
[1] http://www.freeipa.org/page/V4/AD_User_Short_Names
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Loading...