On Thu, May 9, 2024 at 12:25 AM Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
On Срд, 08 мая 2024, Mauricio Tavares via FreeIPA-devel wrote:
>constants.py[1] defines both constants (OK, their values are defined a
>few lines up but you get the drift). Can I ASSume that
>MIN_DOMAIN_LEVEL and MAX_DOMAIN_LEVEL define the ranges of domain
>levels[2] a specific version of freeipa is happy to work with?
>
>
>[1]
https://github.com/freeipa/freeipa/blob/master/ipalib/constants.py#L295C1...
>[2]
https://www.freeipa.org/page/Releases/4.3.0.html#domain-level
Yes, these are general constants. What is the need to know not a current
domain level but rather a range?
If this is what was discussed on #freeipa IRC channel, then the code
there assumes minimum domain level of the current release to avoid
working with IPA servers that weren't upgraded to that version and
therefore have no implementation of expected functionality.
The best solution there is to upgrade those servers and explicitly set
domain level 1 on them with 'ipa domainlevel-set 1'.
While that is how it started, and while I was looking to
understand the process, I ended up with more questions, hence me
asking here instead of in the user mailing list. For instance, I
observed that some of the code that deals with domain levels assumes
that MIN_DOMAIN_LEVEL == domain level (Only place I remember seeing
both being used was ipaserver/install/server/__init__.py). So, they
are not just a range; if I were to guess I would say
1) MIN_DOMAIN_LEVEL = My domain level
2) MAX_DOMAIN_LEVEL = The highest domain level I am comfortable dealing with.
3) The actual numeric value for both constants will change with time
as freeipa evolves (see __init__.py above)
4) I assume "ipa domainlevel-set 1" overrules MIN_DOMAIN_LEVEL, but
what if a given function that relies on it has MIN_DOMAIN_LEVEL
hardcoded to it (importing from the constants.py file)?
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>