[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?

Simo Sorce ssorce at redhat.com
Mon Jul 7 14:00:52 UTC 2008 

On Mon, 2008-07-07 at 15:24 +0200, Aleksander Adamowski wrote:
> Simo Sorce wrote:
> > On Sat, 2008-07-05 at 01:43 +0200, Aleksander Adamowski wrote:
> >   
> >> E.g.:
> >> objectclass: ipaGuiConfig
> >> ipaUserAccountSubtreeRDN: cn=users,cn=accounts
> >> ipaGroupAccountSubtreeRDN: cn=groups,cn=accounts
> >> ipaComputerAccountSubtreeRDN: cn=computers,cn=accounts
> >> ....
> >> ipaKerberosSubtreeRDN: cn=Kerberos
> >> ...
> >>     
> >
> > This is a very good suggestion actually, and to be honest I have been
> > thinking of adding something similar in v2 so that clients can
> > auto-configure themselves too.
> >
> > The problem is that to change this stuff you would need to make it
> > manually or substantially change the ipa-server-install script.
> >
> > If you volunteer to send patches to ipa-server-install so that the
> > default installation will not require any more prompts then what we
> > require now in v1, then we could certainly extend IPA to handle these
> > configuration options.
> >   
> OK, I've pulled the tree from GIT.
> 
>  From grepping the code it seems to me that making those options 
> configurable shouldn't be that hard, but there must be some limitations 
> - e.g. the ACI container has to be a predecessor of all account containers.
> Would it work OK if the ACI container had been set to base DN?

It depends on the ACIs, for example I think we have stricter ACIs for access to cn=kerberos

> > Yes and no, a pre-existing directory will need to have the right
> > objectclasses on users and groups,
> 
> I think the set up scripts could intelligently add missing objectclasses 
> and required attributes to pre-existing entries.
> 
> E.g. find all "(objectclass=posixAccount)"  (or even "(uid=*)"), add 
> objectclass=krbPrincipal to them, then add a krbPrincipalName generated 
> from uid and realm name. And so on.
> 
> Note that lots of data in such an LDAP database is redundant and there 
> are functional dependencies. Codd definately wouldn't be happy seeing an 
> object which has uid=jsmith and krbPrincipalName=jsmith at EXAMPLE.COM (not 
> to mention mail=jsmith at example.com...).
> So many values can be automatically generated during conversion from 
> existing LDAP to FreeIPA if they are missing.

This values are only incidentally equal, it might very well be that
krbprincipalname, email and uid have distinct values.
although right now , in v1, we depend on uid being equal to the name
part of the principal name indeed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list