[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?
Simo Sorce
ssorce at redhat.com
Mon Jul 7 14:00:52 UTC 2008
On Mon, 2008-07-07 at 15:24 +0200, Aleksander Adamowski wrote:
> Simo Sorce wrote:
> > On Sat, 2008-07-05 at 01:43 +0200, Aleksander Adamowski wrote:
> >
> >> E.g.:
> >> objectclass: ipaGuiConfig
> >> ipaUserAccountSubtreeRDN: cn=users,cn=accounts
> >> ipaGroupAccountSubtreeRDN: cn=groups,cn=accounts
> >> ipaComputerAccountSubtreeRDN: cn=computers,cn=accounts
> >> ....
> >> ipaKerberosSubtreeRDN: cn=Kerberos
> >> ...
> >>
> >
> > This is a very good suggestion actually, and to be honest I have been
> > thinking of adding something similar in v2 so that clients can
> > auto-configure themselves too.
> >
> > The problem is that to change this stuff you would need to make it
> > manually or substantially change the ipa-server-install script.
> >
> > If you volunteer to send patches to ipa-server-install so that the
> > default installation will not require any more prompts then what we
> > require now in v1, then we could certainly extend IPA to handle these
> > configuration options.
> >
> OK, I've pulled the tree from GIT.
>
> From grepping the code it seems to me that making those options
> configurable shouldn't be that hard, but there must be some limitations
> - e.g. the ACI container has to be a predecessor of all account containers.
> Would it work OK if the ACI container had been set to base DN?
It depends on the ACIs, for example I think we have stricter ACIs for access to cn=kerberos
> > Yes and no, a pre-existing directory will need to have the right
> > objectclasses on users and groups,
>
> I think the set up scripts could intelligently add missing objectclasses
> and required attributes to pre-existing entries.
>
> E.g. find all "(objectclass=posixAccount)" (or even "(uid=*)"), add
> objectclass=krbPrincipal to them, then add a krbPrincipalName generated
> from uid and realm name. And so on.
>
> Note that lots of data in such an LDAP database is redundant and there
> are functional dependencies. Codd definately wouldn't be happy seeing an
> object which has uid=jsmith and krbPrincipalName=jsmith at EXAMPLE.COM (not
> to mention mail=jsmith at example.com...).
> So many values can be automatically generated during conversion from
> existing LDAP to FreeIPA if they are missing.
This values are only incidentally equal, it might very well be that
krbprincipalname, email and uid have distinct values.
although right now , in v1, we depend on uid being equal to the name
part of the principal name indeed.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list