[Freeipa-devel] Ubuntu interests in FreeIPA

Mathias Gug mathiaz at ubuntu.com
Wed Jul 22 21:25:48 UTC 2009 

On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
> 
> > Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
> >
> >  * dna: Distributed Numeric Assignment plug-in
> >
> > I don't know of an openldap plugin providing the same functionality.
> >
> > However one solution could be to use the uniq overlay to make sure the
> > uids are unique:
> >
> >       The  Attribute  Uniqueness  overlay can be used with a backend database
> >       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
> >       attributes  within a scope. This subtree defaults to all objects within
> >       the subtree of the database for which the Uniqueness overlay is config‐
> >       ured.
> >
> >       For example, if uniqueness were enforced
> >       for the uid attribute, the subtree would  be  searched  for  any  other
> >       records  which  also have a uid attribute containing the same value. If
> >       any are found, the request is rejected.
> >
> > That would also require some modification in the administration tools
> > by pushing the logic to generate a new user id from the slapd server
> > to the administration tools. The code responsible for creating a new
> > user should take into account the possibility that the ldap add
> > operation might fail because of an existing uid and update the uid
> > accordingly before retrying.
> >
> >   
> You need to take replication into the account. The DNA plugin guarantees
> uniqueness across the whole deployment, not just one server.
> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
> does the range negotiation between replicas as a part of the replication
> protocol.
>  

Right. One proposal is to have a MirrorMode configuration [1] with the
chain overlay configured on all slaves. That way all writes are
eventually done on one server where the uniqueness of the uid value is
asserted.

[1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090722/f7351c84/attachment.sig>

More information about the Freeipa-devel mailing list