[Freeipa-devel] Unifying the PKI and IPA Directory Server instances

Ade Lee alee at redhat.com
Tue Nov 1 17:08:18 UTC 2011 

On Tue, 2011-11-01 at 12:49 -0400, Simo Sorce wrote:
> On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote:
> > ----- Original Message -----
> > > 
> > > 
> > > 
> > > We had a brief discussion on unifying the PKI and IPA Directory
> > > Server instances. Here are my notes from it. Please fill out the
> > > details and correct me if I've mis-stated anything below.
> > > 
> > > 
> > > Issues:
> > > 
> > > 
> > > 
> > 
> > Do IPA and PKI use different suffixes?
> 
> Currently not as we use completely separate instances, but we will be
> able to use different suffixes for some stuff.
> 
I would suggest that if we use the same database, then we use different
suffixes.  For one thing, we will want to be able to set ACIs so that
the information here is not publicly browsable.

It will also be much easier to limit the pki users ability to touch the
rest of the db, and visa versa.

It also makes it less likely that upgrade scripts will stomp on each
other.
> > > 
> > >     1.
> > > 
> > > Both make changes to Config. One identified conflict is he
> > > configuration of the Uniqueness plugin
> > 
> > It may be easy to enhance this plugin and other plugins to allow different configuration per subtree.
> 
> If we confirm this conflict this will become a requirement before we can
> proceed.
> 
> > >     2.
> > > 
> > > PKI uses Directory Manager. This is insecure. Can it use a differen,
> > > limited admin?
> > 
> > Or use ldapi?  I don't think ldapjdk can use ldapi.
> 
> It's a matter of trust for me. I do not want to trust PKI to have free
> reign on all data. I want it to be confined to only what it needs.
> 
> So we can use ldapi and user mapping, but we wouldn't map the user to DM
> anyway.
> 
> > >     3.
> > > 
> > > Index strategies are different
> > 
> > Use a union?  e.g. if ipa needs attribute "a" indexed for equality only, but PKI needs it indexed for presence and substring only, then we can just index it for eq, sub, and pres.
> 
> The problem here is finding out and how to make sure pki vs ds/ipa
> install and upgrade scripts do not stomp on each other.

> > >     4.
> > > 
> > > make sure we have a union of the required sets of plugins
> > >     5.
> > > 
> > > PKI needs to set D.S. Default Name context
> > 
> > What is this?
> 
> See my other mail, we need DS to support setting defaultNamingContext in
> rootdse.
> 
> > >     6.
> > > 
> > > If PKI uses the IPA datastore for users, it needs to creat the user
> > > with all the right prerequisites (object class, defaults)
> > 
> > If both PKI and IPA use structural objectclasses, we may have to create corresponding auxiliary objectclasses so that you can mix-in both sets of objectclasses while having only one structural objectclass per entry.
> 
> The problem here is much bigger, PKI simply do not have enough
> information to create a proper IPA user, so it should not be allowed to.
> This is an example of why I want to tightly control through ACIs what
> PKI can do and prevent it from causing "issues".
> 
If we do this integration, then I'm OK with IPA creating the users.

> 
> Simo.
>

More information about the Freeipa-devel mailing list