[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Simo Sorce
simo at redhat.com
Tue Nov 1 16:43:49 UTC 2011
On Tue, 2011-11-01 at 12:12 -0400, Adam Young wrote:
> We had a brief discussion on unifying the PKI and IPA Directory Server
> instances. Here are my notes from it. Please fill out the details
> and correct me if I've mis-stated anything below.
>
>
> Issues:
>
>
> 1. Both make changes to Config. One identified conflict is he
> configuration of the Uniqueness plugin
>
> 2. PKI uses Directory Manager. This is insecure. Can it use a
> differen, limited admin?
Not only insecure but we do not want necessarily trust PKI to touch
stuff that is IPA specific.
>
> 3. Index strategies are different
>
> 4. make sure we have a union of the required sets of plugins
>
> 5. PKI needs to set D.S. Default Name context
This is a DS/IPA feature, not a PKI feature. In an IPA install we will
need to be able to tell DS that the IPA namingContext is the default
one.
> 6. If PKI uses the IPA datastore for users, it needs to creat
> the user with all the right prerequisites (object class,
> defaults)
No it should never be allowed to create users, it should just use
existing users I think.
> 7. PKI puts users in groups using “member of” so that should
> still work for the IPA tree
PKI is currently using groupOfUniqueUsers and uniqueMember. We will need
it to use groupOfNames (as modified in 389DS to not require members) and
use member (which will automatically create memberof attributes).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list