Martin Babinsky
2017-02-28 12:29:50 UTC
Hello list,
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
are twofold:
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]
In the end I have taken the liberty to change a few aspects of the
design we have agreed on before and I will be grad if we can discuss
them further.
Me and Honza have discussed the object that should hold the domain
resolution order and given the fact that IPA domain can also be a part
of this list, we have decided that this information is no longer bound
to trust configuration and should be a part of the global config instead.
Also we have purposefully cut down the API only to a raw manipulation of
the attribute using an option of `ipa config-mod`. The reasons for this
are twofold:
* the developer resources are quite scarce and it may be good to
follow YAGNI[2] principle to implement the dumbest API now and not to
invest into more high-level interface unless there is a demand for it
* we can imagine that the manipulation of the domain resolution order
is a rare operation (ideally only once all trusts are established), so I
am not convinced that it is worth investing into designing higher-level API
I propose we first develop the "dumber" parts first to unblock the SSSD
part. If we have spare cycle afterwards then we can design and implement
more bells-and-whistles afterwards.
[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code