[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?
Aleksander Adamowski
aleksander.adamowski.freeipa at altkom.pl
Mon Jul 7 13:24:57 UTC 2008
Simo Sorce wrote:
> On Sat, 2008-07-05 at 01:43 +0200, Aleksander Adamowski wrote:
>
>> E.g.:
>> objectclass: ipaGuiConfig
>> ipaUserAccountSubtreeRDN: cn=users,cn=accounts
>> ipaGroupAccountSubtreeRDN: cn=groups,cn=accounts
>> ipaComputerAccountSubtreeRDN: cn=computers,cn=accounts
>> ....
>> ipaKerberosSubtreeRDN: cn=Kerberos
>> ...
>>
>
> This is a very good suggestion actually, and to be honest I have been
> thinking of adding something similar in v2 so that clients can
> auto-configure themselves too.
>
> The problem is that to change this stuff you would need to make it
> manually or substantially change the ipa-server-install script.
>
> If you volunteer to send patches to ipa-server-install so that the
> default installation will not require any more prompts then what we
> require now in v1, then we could certainly extend IPA to handle these
> configuration options.
>
OK, I've pulled the tree from GIT.
From grepping the code it seems to me that making those options
configurable shouldn't be that hard, but there must be some limitations
- e.g. the ACI container has to be a predecessor of all account containers.
Would it work OK if the ACI container had been set to base DN?
> yup, not making assumption, but you have to store the kerberos subtree
> DN in the server's /etc/krb5.conf file, so this is not something you can
> change at will.
Well, some options have to be outside LDAP for now (as long as MIT
Kerberos cannot get its configuration from LDAP) and it's OK as long as
they can be overriden during initialization just like the other things.
It would be hard to change them, but after everything has been set up,
hardly anybody will have a reason to.
> You must install IPA from scratch with a specific
> subtree and stick with it (altrhough it could be configurable so not
> saying we cannot let users that know what they are doing change the
> defaults before installing the first IPA server instance).
>
That's the point.
> Yes and no, a pre-existing directory will need to have the right
> objectclasses on users and groups,
I think the set up scripts could intelligently add missing objectclasses
and required attributes to pre-existing entries.
E.g. find all "(objectclass=posixAccount)" (or even "(uid=*)"), add
objectclass=krbPrincipal to them, then add a krbPrincipalName generated
from uid and realm name. And so on.
Note that lots of data in such an LDAP database is redundant and there
are functional dependencies. Codd definately wouldn't be happy seeing an
object which has uid=jsmith and krbPrincipalName=jsmith at EXAMPLE.COM (not
to mention mail=jsmith at example.com...).
So many values can be automatically generated during conversion from
existing LDAP to FreeIPA if they are missing.
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
More information about the Freeipa-devel
mailing list