[Freeipa-devel] Merging dogtag and ipa databases
Adam Young
ayoung at redhat.com
Tue Dec 20 01:07:53 UTC 2011
On 12/19/2011 03:52 PM, Simo Sorce wrote:
> On Mon, 2011-12-19 at 11:49 -0500, Dmitri Pal wrote:
>> On 12/19/2011 11:11 AM, Ade Lee wrote:
>>> Hi all,
>>>
>>> Based on conversations with Adam, Simo and Rob, here are some thoughts
>>> on $subject:
>>> http://pki.fedoraproject.org/wiki/Merging_IPA_and_Dogtag_Databases
>>>
>>> I'll probably add more later - like the details on how cloned instance
>>> installation will run.
>>>
>>> Comments are welcome.
>>>
>>> Ade
>>>
>> Ade,
>>
>> IPA has a notion of the system account too.
>> It has system account for Kerberos for example.
>> Those accounts are not exposed in UI and there is already a location for
>> them.
>> Have you considered this option?
> We do not want to have dogtag have write permission to the IPA tree, so
> it is better if dogtag has it's service users in it's own tree. We have
> nothing in IPA proper that cares for those anyway as they are
> application specific.
>
> Simo.
>
Agreed. The general rule should be that each application gets its own
Subtree.
More information about the Freeipa-devel
mailing list