[Freeipa-devel] How to implement Magic Private Groups in FreeIPA ?

[Rob Crittenden]

Simo Sorce wrote:
> On Thu, 2009-11-12 at 10:37 -0500, Dmitri Pal wrote:
>>> So killing two birds with one stone we are thinking of introducing a
>> new
>>> attribute called posixName that has a case sensitive syntax and does
>> not
>>> conflict with other uses of uid and cn. We will probably still set
>> uid
>>> on users and cn on groups but they will be kept in sync with
>> posixName
>>> (except for cn on user accounts that holds the full name).
>>>
>>>   
>> So posixName will be a part of the user account object and group
>> object,
>> right?
>> Can you please add more details here?
> 
> Correct,
> we would switch to primarily use posixName for users and groups names.
> 
> A group entry would probably look like this (from memory):
> 
> cn=newgroup,cn=groups,cn=accounts,dc=example,dc=com
> objectclass: nestedgroup
> objectclass: posixGroup
> objectclass: ipaPosixName
> cn: newgroup
> posixName: newgroup
> member: ...
> member: ...
> 
> 
> When searching for this group we would use a query like:
> '(&(objectClass=posixGroup)(posixName=newgroup))'
> 
> Same for users.
> 
> Simo.
> 
> 

FYI, here is the new schema I've come up with:

dn: cn=schema
attributeTypes: ( 2.16.840.1.113730.3.8.3.54 NAME 'posixName' EQUALITY 
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
objectClasses: ( 2.16.840.1.113730.3.8.3.55 NAME 'ipaPosixName' DESC 
'Case-sensitive name common to users and groups' AUXILIARY MUST ( 
posixName ) X-ORIGIN 'IPA v2' )

It also occurs to me that we'll need to prevent any modifications to the 
posixName attribute unless the cn/uid is also being modified. On other 
word, sync needs to be 2-way.

rob

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091113/f32ff82c/attachment.bin>