[Freeipa-devel] expanding the LDAP tree
Simo Sorce
ssorce at redhat.com
Thu Nov 8 15:27:52 UTC 2007
On Wed, 2007-11-07 at 13:28 -0800, Pete Rowley wrote:
> John Dennis wrote:
> > I would like to add a new branch to our LDAP tree to store radius
> > configuration information and I thought I would sanity check where I
> > expect it belongs and how to add it. Yes/No/Comments welcome.
> >
> > I think the appropriate place is just under the suffix in a node
> > called 'services' then each service can add their name below it and
> > their data below that. For example:
> >
> > dn: cn=radius,cn=services,$SUFFIX
> > dn: cn=clients,cn=radius,cn=services,$SUFFIX
> >
> ok
No, we have cn=etc for configuration of system services
For clients I need to know what kind of info it is.
Are these basically machine tickets?
If so the info should be consolidated in the machine account under
cn=computers IMO
> > Sound reasonable?
> >
> > I also presume bootstrap-template.ldif is the place to create these,
> > right?
> >
> right
yes
> > I also presume we would want to set an Admin Write ACL on
> > cn=services,$SUFFIX and Read ACS on each of it's children limited to
> > the service and admin.
> >
> Sounds good.
yeah ACIs are needed, but probably in this case you should use the
admins group, unless we need to explicitly reserve this for the
uberAdmin
Simo.
More information about the Freeipa-devel
mailing list