[Freeipa-devel] First cut of schema doc

Pete Rowley prowley at redhat.com
Wed Jul 11 23:39:23 UTC 2007 

Andrew Bartlett wrote:
> On Wed, 2007-07-11 at 15:50 -0700, Pete Rowley wrote:
>   
>> Andrew Bartlett wrote:
>>     
>>> On Wed, 2007-07-11 at 15:23 -0700, Pete Rowley wrote:
>>>   
>>>       
>>>> Simo Sorce wrote:
>>>>     
>>>>         
>>>>> On Wed, 2007-07-11 at 14:53 -0700, Pete Rowley wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> Getting something up to argue over :)
>>>>>>
>>>>>> http://freeipa.com/page/SchemaV1
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> Questions and remarks:
>>>>> - what is/why dc=com ?
>>>>>   
>>>>>       
>>>>>           
>>>> could be dc=org or whatever that component of the realm name is. The 
>>>> important thing is the splitting off of the most significant portion of 
>>>> the realm name from the suffix to be part of DIT (replacing cn=default 
>>>> which we didn't like)
>>>>     
>>>>         
>>> Doesn't that break referrals to other DIT trees that may hold other
>>> parts of the data?  
>>>   
>>>       
>> I don't think so, but then I don't think we are going to support such a 
>> model.
>>     
>
> It just seems ugly and inconsistent to start that far up the domain
> tree.
/shrug - that's how they thought all trees would look originally, or at 
least, the one tree to rule them all :)  Not married to it though, I was 
just looking for a way of renaming cn=default which simo wanted.
>   And it seems to invite someone to hard-code dc=com, then be
> busted when deployed to dc=au...
>
>   
I don't see how that is any more true than with any other suffix. The 
dc=com can actually be any suffix, but in practice our install scripts 
will create the suffix and create this tree structure. If clients are 
likely to hard code anything it would be the basedn = the kerberos 
realm/dns domain name dc-ified, which would be right and we'll try to 
keep it that way.

OTOH if anyone can come up with a nice name for the dc=realm bit (which 
used to be called cn=default - ick) we can drop this.

>
> If we can't modify it, can we at least have the clients search the
> published suffixes (we do publish them somehow don't we?)
yes in rootDSE in namingContexts attribute
>  for
> objectClass=ipaRealm?
>   
that's the idea

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070711/7ce47f3e/attachment.bin>

More information about the Freeipa-devel mailing list