[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?

Aleksander Adamowski aleksander.adamowski.freeipa at altkom.pl
Mon Jul 7 13:24:57 UTC 2008 

Simo Sorce wrote:
> On Sat, 2008-07-05 at 01:43 +0200, Aleksander Adamowski wrote:
>   
>> E.g.:
>> objectclass: ipaGuiConfig
>> ipaUserAccountSubtreeRDN: cn=users,cn=accounts
>> ipaGroupAccountSubtreeRDN: cn=groups,cn=accounts
>> ipaComputerAccountSubtreeRDN: cn=computers,cn=accounts
>> ....
>> ipaKerberosSubtreeRDN: cn=Kerberos
>> ...
>>     
>
> This is a very good suggestion actually, and to be honest I have been
> thinking of adding something similar in v2 so that clients can
> auto-configure themselves too.
>
> The problem is that to change this stuff you would need to make it
> manually or substantially change the ipa-server-install script.
>
> If you volunteer to send patches to ipa-server-install so that the
> default installation will not require any more prompts then what we
> require now in v1, then we could certainly extend IPA to handle these
> configuration options.
>   
OK, I've pulled the tree from GIT.

 From grepping the code it seems to me that making those options 
configurable shouldn't be that hard, but there must be some limitations 
- e.g. the ACI container has to be a predecessor of all account containers.
Would it work OK if the ACI container had been set to base DN?



> yup, not making assumption, but you have to store the kerberos subtree
> DN in the server's /etc/krb5.conf file, so this is not something you can
> change at will.
Well, some options have to be outside LDAP for now (as long as MIT 
Kerberos cannot get its configuration from LDAP) and it's OK as long as 
they can be overriden during initialization just like the other things.
It would be hard to change them, but after everything has been set up, 
hardly anybody will have a reason to.


> You must install IPA from scratch with a specific
> subtree and stick with it (altrhough it could be configurable so not
> saying we cannot let users that know what they are doing change the
> defaults before installing the first IPA server instance).
>   

That's the point.

> Yes and no, a pre-existing directory will need to have the right
> objectclasses on users and groups,

I think the set up scripts could intelligently add missing objectclasses 
and required attributes to pre-existing entries.

E.g. find all "(objectclass=posixAccount)"  (or even "(uid=*)"), add 
objectclass=krbPrincipal to them, then add a krbPrincipalName generated 
from uid and realm name. And so on.

Note that lots of data in such an LDAP database is redundant and there 
are functional dependencies. Codd definately wouldn't be happy seeing an 
object which has uid=jsmith and krbPrincipalName=jsmith at EXAMPLE.COM (not 
to mention mail=jsmith at example.com...).
So many values can be automatically generated during conversion from 
existing LDAP to FreeIPA if they are missing.


-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

More information about the Freeipa-devel mailing list