[Freeipa-devel] First cut of schema doc

Andrew Bartlett abartlet at samba.org
Thu Jul 12 13:24:46 UTC 2007 

On Thu, 2007-07-12 at 09:18 -0400, Simo Sorce wrote:
> On Thu, 2007-07-12 at 22:54 +1000, Andrew Bartlett wrote:
> > On Thu, 2007-07-12 at 08:45 -0400, Simo Sorce wrote:
> > > On Wed, 2007-07-11 at 15:23 -0700, Pete Rowley wrote:
> > > > Simo Sorce wrote:
> > > > > On Wed, 2007-07-11 at 14:53 -0700, Pete Rowley wrote:
> > > > >   
> > > > >> Getting something up to argue over :)
> > > > >>
> > > > >> http://freeipa.com/page/SchemaV1
> > > > >>     
> > > > >
> > > > > Questions and remarks:
> > > > > - what is/why dc=com ?
> > > > >   
> > > > could be dc=org or whatever that component of the realm name is. The 
> > > > important thing is the splitting off of the most significant portion of 
> > > > the realm name from the suffix to be part of DIT (replacing cn=default 
> > > > which we didn't like)
> > > 
> > > Ooooh now I see the point, but I honestly don't like it :)
> > 
> > I'm still unclear:  If my realm was abartlet.net, are things under
> > dc=abartlet,dc=net, with that DN having an extra objectClass of
> > ipaRealm?
> 
> Pete proposal was:
> dc=net (objectclass=pilotObject / info=IPA v1.0)
> |- cn=system
> |  |-cn=kerberos
> |  \-cn=ipa
> |-dc=abartlet (objectclass=ipaRealm)
>    |-ou=people
>    |-ou=groups
> 
> I say now:
> 
> dc=abartlet,dc=net (objectclass=pilotObject / info=IPA v1.0)
> |- cn=system
> |  |-cn=kerberos
> |  \-cn=ipa
> |- cn=realm
>    |-ou=people
>    |-ou=groups
> 
> Make sense?

I would love to get rid of the cn=realm level, if possible.  (keep
cn=system as proposed, or possibly renamed to avoid a conflict with the
AD use of cn=system). 

> > > I see, it make sense for our discovery utility indeed,but this is
> > not
> > > something we can "backport" to older clients or other OSs clients
> > > unfortunately.
> > > Also I am strating wondering if we really need to separate Users and
> > > Groups in different OUs ... yes we do cause bloody Unix has 2
> > different
> > > name spaces for users and groups :(
> > 
> > Having them in the same spot would make mapping to the AD style
> > easier...
> > 
> > Why can't they be under cn=group and uid=user?  Or better still, as we
> > need the names to be unique for samba (even v3), just make that a
> > restriction?
> 
> I know, I wa even thinking of forcibly merging personal groups into
> users and have a monotonic merged uid/gid counter so that we basically
> mege the user and group spaces. but I need a lot of time to explain why
> this make sense in general and specifically for interoperate with
> Windows.

It depends how seriously we want to take that, I suppose. 

> Is this interesting for v1? Or should we delay discussions for post v1?

Do we break the ability to go beyond v1 if we don't address it?  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070712/9edeaf85/attachment.sig>

More information about the Freeipa-devel mailing list