[Freeipa-devel] [PATCH] radius work, please review
John Dennis
jdennis at redhat.com
Fri Nov 30 00:21:40 UTC 2007
Simo Sorce wrote:
> On Thu, 2007-11-29 at 18:21 -0500, John Dennis wrote:
>> Simo Sorce wrote:
>>> On Thu, 2007-11-29 at 13:00 -0500, John Dennis wrote:
>>>> bootstrap-template.ldif: adds radius clients and profiles
>>>> containers
>>>> under cn=services,cn=etc
>>> Replying just to this right now.
>>> It seem you are going to have quite some data there, I think it may be
>>> more appropriate to have your own cn=radius tree, and put that stuff
>>> there, like we do with the kerberos stuff under cn=kerberos
>> Argh, it is under it's own radius tree, the above was a cut-n-paste
>> error on my part when I wrote the email, it is cn=radius,cn=services,cn=etc.
>
> I mean s/,cn=services,cn=etc//
>
>>> cn=etc is meant to be the place where you put the system configuration
>>> data, not the systems applications data.
>> Well, I had wanted to do this (from a previous email of mine):
>>
>> > > I think the appropriate place is just under the suffix in a node
>> > > called 'services' then each service can add their name below it and
>> > > their data below that. For example:
>> > >
>> > > dn: cn=radius,cn=services,$SUFFIX
>> > > dn: cn=clients,cn=radius,cn=services,$SUFFIX
>
> Not sure we really need to prefix radius with services, but this is
> better, yes.
>
>> But then Pete Rowley wrote in his review:
>>
>> > I think cn=services should be in cn=etc
>>
>> so that's what I did, maybe Pete didn't understand this was service
>> data, not configuration data.
>
> Yes I think Pete thought you were talking about the service
> configuration not the service data.
>
>> I guess the kerberos data landed in:
>>
>> dn: cn=kerberos,$SUFFIX
>
> Most of it, not all, Kerberos data is in each user and service entry as
> well, and will be in every computer entry too.
>
>> I would argue (as I suggested above) it should be instead be located
>> under services and not as a child of the root, e.g.:
>>
>> dn: cn=kerberos,cn=services,$SUFFIX
>
> Kerberos is so fundamental it deserves it's own container.
>
>> But that's me wanting to use tree structure, which I guess is out of
>> fashion :-)
>
> No, trees are ok, I love nature :-P
>
> Seriously though, a tree structure is ok, but not to be abused.
So let's wrap this issue up, I'll make the change, just let me clarify.
We're never going to use a service container, all service data lives in
its own container directly under the root, thus so far we've got as
service data:
dn: cn=kerberos,$SUFFIX
dn: cn=clients,cn=radius,$SUFFIX
dn: cn=profiles,cn=radius,$SUFFIX
Does keeping the dissimilar client and profile data segregated in their
own containers constitute abuse?
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list