[Freeipa-devel] [PATCH] radius work, please review

John Dennis jdennis at redhat.com
Fri Nov 30 00:21:40 UTC 2007 

Simo Sorce wrote:
> On Thu, 2007-11-29 at 18:21 -0500, John Dennis wrote:
>> Simo Sorce wrote:
>>> On Thu, 2007-11-29 at 13:00 -0500, John Dennis wrote:
>>>>    bootstrap-template.ldif: adds radius clients and profiles
>>>> containers
>>>>    under cn=services,cn=etc
>>> Replying just to this right now.
>>> It seem you are going to have quite some data there, I think it may be
>>> more appropriate to have your own cn=radius tree, and put that stuff
>>> there, like we do with the kerberos stuff under cn=kerberos
>> Argh, it is under it's own radius tree, the above was a cut-n-paste 
>> error on my part when I wrote the email, it is cn=radius,cn=services,cn=etc.
> 
> I mean s/,cn=services,cn=etc// 
> 
>>> cn=etc is meant to be the place where you put the system configuration
>>> data, not the systems applications data.
>> Well, I had wanted to do this (from a previous email of mine):
>>
>>  > > I think the appropriate place is just under the suffix in a node
>>  > > called 'services' then each service can add their name below it and
>>  > > their data below that. For example:
>>  > >
>>  > > dn: cn=radius,cn=services,$SUFFIX
>>  > > dn: cn=clients,cn=radius,cn=services,$SUFFIX
> 
> Not sure we really need to prefix radius with services, but this is
> better, yes.
> 
>> But then Pete Rowley wrote in his review:
>>
>>  > I think cn=services should be in cn=etc
>>
>> so that's what I did, maybe Pete didn't understand this was service 
>> data, not configuration data.
> 
> Yes I think Pete thought you were talking about the service
> configuration not the service data.
> 
>> I guess the kerberos data landed in:
>>
>> dn: cn=kerberos,$SUFFIX
> 
> Most of it, not all, Kerberos data is in each user and service entry as
> well, and will be in every computer entry too.
> 
>> I would argue (as I suggested above) it should be instead be located 
>> under services and not as a child of the root, e.g.:
>>
>> dn: cn=kerberos,cn=services,$SUFFIX
> 
> Kerberos is so fundamental it deserves it's own container.
> 
>> But that's me wanting to use tree structure, which I guess is out of 
>> fashion :-)
> 
> No, trees are ok, I love nature :-P
> 
> Seriously though, a tree structure is ok, but not to be abused.

So let's wrap this issue up, I'll make the change, just let me clarify. 
We're never going to use a service container, all service data lives in 
its own container directly under the root, thus so far we've got as 
service data:

dn: cn=kerberos,$SUFFIX
dn: cn=clients,cn=radius,$SUFFIX
dn: cn=profiles,cn=radius,$SUFFIX

Does keeping the dissimilar client and profile data segregated in their 
own containers constitute abuse?

-- 
John Dennis <jdennis at redhat.com>

More information about the Freeipa-devel mailing list