[Freeipa-devel] First cut of schema doc

Simo Sorce ssorce at redhat.com
Thu Jul 12 13:18:20 UTC 2007 

On Thu, 2007-07-12 at 22:54 +1000, Andrew Bartlett wrote:
> On Thu, 2007-07-12 at 08:45 -0400, Simo Sorce wrote:
> > On Wed, 2007-07-11 at 15:23 -0700, Pete Rowley wrote:
> > > Simo Sorce wrote:
> > > > On Wed, 2007-07-11 at 14:53 -0700, Pete Rowley wrote:
> > > >   
> > > >> Getting something up to argue over :)
> > > >>
> > > >> http://freeipa.com/page/SchemaV1
> > > >>     
> > > >
> > > > Questions and remarks:
> > > > - what is/why dc=com ?
> > > >   
> > > could be dc=org or whatever that component of the realm name is. The 
> > > important thing is the splitting off of the most significant portion of 
> > > the realm name from the suffix to be part of DIT (replacing cn=default 
> > > which we didn't like)
> > 
> > Ooooh now I see the point, but I honestly don't like it :)
> 
> I'm still unclear:  If my realm was abartlet.net, are things under
> dc=abartlet,dc=net, with that DN having an extra objectClass of
> ipaRealm?

Pete proposal was:
dc=net (objectclass=pilotObject / info=IPA v1.0)
|- cn=system
|  |-cn=kerberos
|  \-cn=ipa
|-dc=abartlet (objectclass=ipaRealm)
   |-ou=people
   |-ou=groups

I say now:

dc=abartlet,dc=net (objectclass=pilotObject / info=IPA v1.0)
|- cn=system
|  |-cn=kerberos
|  \-cn=ipa
|- cn=realm
   |-ou=people
   |-ou=groups

Make sense?

> > I see, it make sense for our discovery utility indeed,but this is
> not
> > something we can "backport" to older clients or other OSs clients
> > unfortunately.
> > Also I am strating wondering if we really need to separate Users and
> > Groups in different OUs ... yes we do cause bloody Unix has 2
> different
> > name spaces for users and groups :(
> 
> Having them in the same spot would make mapping to the AD style
> easier...
> 
> Why can't they be under cn=group and uid=user?  Or better still, as we
> need the names to be unique for samba (even v3), just make that a
> restriction?

I know, I wa even thinking of forcibly merging personal groups into
users and have a monotonic merged uid/gid counter so that we basically
mege the user and group spaces. but I need a lot of time to explain why
this make sense in general and specifically for interoperate with
Windows.

Is this interesting for v1? Or should we delay discussions for post v1?

Simo.

More information about the Freeipa-devel mailing list