[Freeipa-devel] Integration with the provisioning systems
Martin Kosek
mkosek at redhat.com
Mon Apr 22 11:34:07 UTC 2013
On 04/21/2013 09:14 PM, Dmitri Pal wrote:
> Hello,
>
> Please review the design page for the following ticket:
> https://fedorahosted.org/freeipa/ticket/3583
> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
>
Hello Dmitri,
The design looks fine, I would just like to discuss the schema enhancements.
I'd propose to not create our own artificial attributes, but rather use a
standard existing userClass attributeType defined in RFC 4524 which is already
present in 389-ds schemas and which semantics seems to match what we want:
...
2.25. userClass
The 'userClass' attribute specifies categories of computer or
application user. The semantics placed on this attribute are for
local interpretation. Examples of current usage of this attribute in
academia are "student", "staff", and "faculty". Note that the
'organizationalStatus' attribute type is now often preferred, as it
makes no distinction between persons as opposed to users.
( 0.9.2342.19200300.100.1.8 NAME 'userClass'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the
'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
in [RFC4517].
...
What about simply adding this attributeType as a MAY attribute for ipaHost
objectClass?
As for user objects, what about adding new auxiliary objectClass called ipaUser
storing miscellaneous attributes like this one?
Or is there a benefit of having a specialized objectClass holding just this one
MAY attribute?
Thanks,
Martin
More information about the Freeipa-devel
mailing list