[Freeipa-devel] Ubuntu interests in FreeIPA
Mathias Gug
mathiaz at ubuntu.com
Wed Jul 22 21:25:48 UTC 2009
On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
>
> > Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
> >
> > * dna: Distributed Numeric Assignment plug-in
> >
> > I don't know of an openldap plugin providing the same functionality.
> >
> > However one solution could be to use the uniq overlay to make sure the
> > uids are unique:
> >
> > The Attribute Uniqueness overlay can be used with a backend database
> > such as slapd-bdb(5) to enforce the uniqueness of some or all
> > attributes within a scope. This subtree defaults to all objects within
> > the subtree of the database for which the Uniqueness overlay is config‐
> > ured.
> >
> > For example, if uniqueness were enforced
> > for the uid attribute, the subtree would be searched for any other
> > records which also have a uid attribute containing the same value. If
> > any are found, the request is rejected.
> >
> > That would also require some modification in the administration tools
> > by pushing the logic to generate a new user id from the slapd server
> > to the administration tools. The code responsible for creating a new
> > user should take into account the possibility that the ldap add
> > operation might fail because of an existing uid and update the uid
> > accordingly before retrying.
> >
> >
> You need to take replication into the account. The DNA plugin guarantees
> uniqueness across the whole deployment, not just one server.
> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
> does the range negotiation between replicas as a part of the replication
> protocol.
>
Right. One proposal is to have a MirrorMode configuration [1] with the
chain overlay configured on all slaves. That way all writes are
eventually done on one server where the uniqueness of the uid value is
asserted.
[1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090722/f7351c84/attachment.sig>
More information about the Freeipa-devel
mailing list