[Freeipa-devel] [PATCH] ldif and acis for config
Kevin McCarthy
kmccarth at redhat.com
Mon Oct 22 23:23:00 UTC 2007
Simo Sorce wrote:
> On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> > This is a proposal for config entries. I've created a global and
> > local entry. The idea (which will be coded next) is to read the
> > global entry first, then overwrite with values in local (if any).
> > So each ipa "node" could tweek independently.
>
> but cn=etc is replicated globally in all its contents now ... maybe
> you can have a container with the server own name to do non-global
> conf, but just using "local" on all nodes is not going to help you :)
>
> > Also, I've currently created anonymous access to the config entries.
> > I'd ideally like to cache the config at startup, or maybe first hit.
>
> Is there a reason why? Who is going to be the consumer ?
Pete mentioned it as an idea, but didn't really "bake" how it should be.
That's why I threw this out though, to get some ideas/feedback.
For now, perhaps we can just have a "shared" config and worry about
local configs later.
> > plain text
> > document
> > attachment
> > (freeipa-372-ldap_config_ldif.patch)
> >
> > # HG changeset patch
> > # User Kevin McCarthy <kmccarth at redhat.com>
> > # Date 1193088002 25200
> > # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
> > # Parent 934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
> > Add entries to store the config in LDAP.
> > Add anonymous ACI's so we can cache on startup.
> >
> > diff -r 934aee640cf9 -r 6b6364a5a292
> > ipa-server/ipa-install/share/bootstrap-template.ldif
> > --- a/ipa-server/ipa-install/share/bootstrap-template.ldif Mon
> > Oct 22 08:57:29 2007 -0700
> > +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif Mon
> > Oct 22 14:20:02 2007 -0700
> > @@ -32,6 +32,30 @@ objectClass: nsContainer
> > objectClass: nsContainer
> > objectClass: top
> > cn: etc
> > +
> > +dn: cn=config,cn=etc,$SUFFIX
> > +changetype: add
> > +objectClass: nsContainer
> > +objectClass: top
> > +cn: config
> > +
> > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > +changetype: add
> > +objectClass: top
> > +objectClass: nsContainer
> > +objectClass: extensibleObject
> ----------------^^^^^^^^^^^^^^^
>
> /me raise eyebrow, are you *sure* ? :)
Nope, definitely not sure. It would be better if there was some
objectClass I could use to store:
-name
-value
-comment
so each configuration could have their own entry with a comment. Do you
have any suggestions about how to do that?
>
> > +cn: global
> > +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> > +searchTimeLimit: 2
> > +maxUidLength: 8
> > +passwordExpireNotifyDays: 7
>
> should we keep security policies and GUI configuration in different
> entries ?
Sure. Are you thinking
cn=policy,cn=config,cn=etc...
and
cn=gui,cn=config,cn=etc
For me the passwordExpireNotifyDays was a parameter I was going to use
in the GUI - for when to show a message at the top of the page.
> > +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> > acl "Enable anonymous access to config"; allow (read, search, compare)
> > userdn="ldap:///anyone";)
>
> Is this not readable right now already?
> /me can't remember if we are denying anonymous access right now.
Don't know. I haven't written the code to try to read it just yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/f55c0262/attachment.bin>
More information about the Freeipa-devel
mailing list