Add initial Domains REST API endpoint #17
Conversation
f-trivino
force-pushed
the
domains
branch
3 times, most recently
from
ecd6d02 to
a5d33f9
Compare
f-trivino
changed the title
There was a problem hiding this comment.
Hi @f-trivino
please find some inline comments.
I didn't manage to run the delete domain part, or get domain. Not sure what is missing, though...
f-trivino
force-pushed
the
domains
branch
2 times, most recently
from
86120d2 to
dd73e58
Compare
f-trivino
force-pushed
the
domains
branch
9 times, most recently
from
36db1d8 to
dfcc725
Compare
This commit is also adding packages to requirements.txt for the Domains REST API Based on: https://www.django-rest-framework.org/#installation Signed-off-by: Francisco Trivino <[email protected]>
|
Hi @f-trivino The code is probably missing a step after ipa-client-install in order to create the admin keytab. |
| description = models.TextField(blank=True) | ||
|
|
||
| # The connection URL to the identity server | ||
| integration_domain_url = models.CharField(max_length=255) |
There was a problem hiding this comment.
If the provider is IPA, is this field optional? With the autodiscovery mechanism it is not required.
There was a problem hiding this comment.
good catch, it is mandatory always. Would it be ok to fix this in next PRs?
|
|
||
| # container image should contain the user and group | ||
| # groupadd scim | ||
| args = ['groupadd', 'scim'] |
There was a problem hiding this comment.
What is the purpose of this local user "scim"? Is it only to store the keytab for ipatuura->ipa communication?
There was a problem hiding this comment.
yep, that's right, folder: /var/lib/ipa/ipatuura/
f-trivino
force-pushed
the
domains
branch
4 times, most recently
from
bbbfa08 to
6651045
Compare
There was a problem hiding this comment.
Hi @f-trivino
I tested mainly the ipa provider and will continue tomorrow with ad and ldap providers. First comments:
- right now, the Domains rest api does not require any authentication but it should be protected and restricted to the django admin user.
- a call to delete a domain with a wrong id does not return any error, IMO it should mention something like "No such domain".
- if a wrong client id/password is provided, ipa-client-install fails but this error is not well handled
- if 2 calls are done to add the same domain, the rest api does not complain but we end up with 2 domains in the sql db and only one in sssd.conf. Removing any of these domains results in an inconsistency (one remaining domain in sql, but no domain in sssd.conf).
| description = models.TextField(blank=True) | ||
|
|
||
| # The connection URL to the identity server | ||
| integration_domain_url = models.CharField(max_length=255) |
There was a problem hiding this comment.
Hi @f-trivino
please find additional comments for LDAP and AD providers
| else: | ||
| if domain['id_provider'] == 'ad': | ||
| join_ad_realm(domain) | ||
| config_default_sssd(domain) |
There was a problem hiding this comment.
Calling realm join already creates sssd.conf, with different settings:
[sssd]
config_file_version = 2
domains = ad.test
services = nss, pam, ifp
[nss]
timeout = 60
[pam]
timeout = 60
[ifp]
user_attributes = +sn, +givenname, +lock, +mail
[domain/ad.test]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AD.TEST
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = ad.test
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
Not sure that this call to config_default_sssd is needed.
There was a problem hiding this comment.
For the ldap provider, which authentication method is used? it's possible to set ldap_krb5_keytab or ldap_default_bind_dn but I didn't find if ipatuura is configuring any.
There was a problem hiding this comment.
The code right now is performing a simple bind with password. This needs to be improved, following issue ticket #28 talks about enabling TLS support.
I fixed sssd.conf and now ldap_default_bind_dn is added. I'm re-using client_id content for the bind_dn for now.
Thanks @flo-renaud , I've filed tickets to address these issues: |
f-trivino
force-pushed
the
domains
branch
2 times, most recently
from
4d7b310 to
f454a30
Compare
This commit implements an API endpoint that allows making GET, POST, PUT, and PATCH requests to read, create, and update Domain objects. This implementation includes helper functions in utils.py responsible for configuring sssd service accordingly. Signed-off-by: Francisco Trivino <[email protected]>
This commit adds the migrations based on the Domains model. Signed-off-by: Francisco Trivino <[email protected]>
This commit adds swagger as a documentation generator for REST framework as well as an easy way to test the domains administrative end-points. Signed-off-by: Francisco Trivino <[email protected]>
This commit adds missing code to extend writable interface to write back user modifications for attributes defined in AD integration domain. Signed-off-by: Francisco Trivino <[email protected]>
This PR implements an API endpoint that allows making GET, POST, PUT, and PATCH requests to read, create, and update Domain objects.
This implementation includes helper functions in utils.py responsible for configuring SSSD service accordingly.