[Freeipa-devel] expanding the LDAP tree

[Simo Sorce]

On Thu, 2007-11-08 at 11:02 -0500, John Dennis wrote:
> Simo Sorce wrote:
> > No, we have cn=etc for configuration of system services
> > For clients I need to know what kind of info it is.
> > Are these basically machine tickets?
> > If so the info should be consolidated in the machine account under
> > cn=computers IMO
> 
> I don't think this data falls under the category of computer with a 
> ticket, but you could (forcibly) apply that interpretation if you wanted to.
> 
> This is a list of NAS's (e.g. VPC concentrators, routers, etc.) being 
> managed by radius. They don't have a krb ticket, but they do have a 
> private authorization called a 'secret'. So they're similar but not the 
> same. If they went under cn=computers,cn=accounts it would mean we would 
> have non-homogeneous entries that would have to be distinguished by 
> objectclass. That is unless there was another container node for devices 
> of this class. But where would that container go? 
> cn=nas,cn=computers,cn=accounts or cn=nas,cn=accounts? But that doesn't 
> really make a lot of sense, they don't really have accounts in the sense 
> I think we've applied to the notion 'account'.
> 
> IMO, I think it makes sense for services who are mirroring their own 
> internal data structures in LDAP to keep their data in their own part of 
> the tree. That separation seems to make sense for a variety of reasons, 
> simplicity, robustness, modularity, integrity, etc. But one could make a 
> good argument for the other approach too.
> 
> My suggestion would be to keep service data segregated in the tree, if 
> it turns out to be an organizational problem we can revisit it later.

Explanation makes sense.
Thank you.

Simo.