[Freeipa-devel] expanding the LDAP tree
Simo Sorce
ssorce at redhat.com
Thu Nov 8 16:40:53 UTC 2007
On Thu, 2007-11-08 at 11:02 -0500, John Dennis wrote:
> Simo Sorce wrote:
> > No, we have cn=etc for configuration of system services
> > For clients I need to know what kind of info it is.
> > Are these basically machine tickets?
> > If so the info should be consolidated in the machine account under
> > cn=computers IMO
>
> I don't think this data falls under the category of computer with a
> ticket, but you could (forcibly) apply that interpretation if you wanted to.
>
> This is a list of NAS's (e.g. VPC concentrators, routers, etc.) being
> managed by radius. They don't have a krb ticket, but they do have a
> private authorization called a 'secret'. So they're similar but not the
> same. If they went under cn=computers,cn=accounts it would mean we would
> have non-homogeneous entries that would have to be distinguished by
> objectclass. That is unless there was another container node for devices
> of this class. But where would that container go?
> cn=nas,cn=computers,cn=accounts or cn=nas,cn=accounts? But that doesn't
> really make a lot of sense, they don't really have accounts in the sense
> I think we've applied to the notion 'account'.
>
> IMO, I think it makes sense for services who are mirroring their own
> internal data structures in LDAP to keep their data in their own part of
> the tree. That separation seems to make sense for a variety of reasons,
> simplicity, robustness, modularity, integrity, etc. But one could make a
> good argument for the other approach too.
>
> My suggestion would be to keep service data segregated in the tree, if
> it turns out to be an organizational problem we can revisit it later.
Explanation makes sense.
Thank you.
Simo.
More information about the Freeipa-devel
mailing list