ipa: support disabled domains #884
Conversation
|
Shouldn't you also delete the disabled subdomain with |
|
Hi, thank you for the review. I'd prefer to keep the domain around even in the cache. Even if there is no technical reason I can currently think of, having the message in the logs that the domain is disabled instead of just a missing message might help to better understand the reason of issues. bye, |
|
Can't we have both? Domain removed from the cache and message that it is disabled in the logs? Because the domain data may take up significant space on the disc. |
|
Perhaps remove domain data but keep the domain object? |
|
Ah, you mean the user and group data, I was thinking about the domain object. Yes, I'll update the patch to remove user and group data. |
This extension is needed to support disabled domains since it is now important to know if a domain is really unknown or only disabled. While an unknown domain might typically lead to an error, a caller might just ignore requests for disabled domains or objects from disabled domains. Related to https://pagure.io/SSSD/sssd/issue/4078
IPA does not disable domains with the help of a flag in the domain objects but more general with the help of the SID blacklist. With this patch the blacklist is read with other data about trusted domains and if the domain SID of a trusted domain is found the domain is disabled. As a result uses and groups from this domain cannot be looked up anymore. Related to https://pagure.io/SSSD/sssd/issue/4078
It is possible that a domain is already disabled on an IPA client but still active on the server. This might happen e.g. if the version of SSSD running on the IPA server does not support disabled domains or if SSSD on the IPA client updates the domain data before the IPA server and sees a freshly disabled domain more early. As a result the server is still sending objects from disabled domains in the lists of group members or group memberships of a user. The client should just ignore those objects. Related to https://pagure.io/SSSD/sssd/issue/4078
sysdb_subdomain_content_delete() will remove all user and group objects from a sub-domain container but not the sub-domain object and the user and group container itself. Related to https://pagure.io/SSSD/sssd/issue/4078
sumit-bose
force-pushed
the
ipa_disable_domain
branch
from
c5cbe81
to
c6e6b31
Compare
|
Hi, I added 2 new patches, one with a new sysdb call, the other to use it if a domain gets disabled. bye, |
|
Thank you. Ack. |
pbrezina
added
Accepted
Ready to push
|
IPA does not disable domains with the help of a flag in the domain objects but
more general with the help of the SID blacklist. With this patch the blacklist
is read with other data about trusted domains and if the domain SID of a
trusted domain is found the domain is disabled. As a result uses and groups
from this domain cannot be looked up anymore.
Related to https://pagure.io/SSSD/sssd/issue/4078