[Freeipa-devel] Ubuntu interests in FreeIPA

Dmitri Pal dpal at redhat.com
Wed Jul 22 22:07:41 UTC 2009 

Mathias Gug wrote:
> On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
>   
>>> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>>>
>>>  * dna: Distributed Numeric Assignment plug-in
>>>
>>> I don't know of an openldap plugin providing the same functionality.
>>>
>>> However one solution could be to use the uniq overlay to make sure the
>>> uids are unique:
>>>
>>>       The  Attribute  Uniqueness  overlay can be used with a backend database
>>>       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
>>>       attributes  within a scope. This subtree defaults to all objects within
>>>       the subtree of the database for which the Uniqueness overlay is config‐
>>>       ured.
>>>
>>>       For example, if uniqueness were enforced
>>>       for the uid attribute, the subtree would  be  searched  for  any  other
>>>       records  which  also have a uid attribute containing the same value. If
>>>       any are found, the request is rejected.
>>>
>>> That would also require some modification in the administration tools
>>> by pushing the logic to generate a new user id from the slapd server
>>> to the administration tools. The code responsible for creating a new
>>> user should take into account the possibility that the ldap add
>>> operation might fail because of an existing uid and update the uid
>>> accordingly before retrying.
>>>
>>>   
>>>       
>> You need to take replication into the account. The DNA plugin guarantees
>> uniqueness across the whole deployment, not just one server.
>> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
>> does the range negotiation between replicas as a part of the replication
>> protocol.
>>  
>>     
>
> Right. One proposal is to have a MirrorMode configuration [1] with the
> chain overlay configured on all slaves. That way all writes are
> eventually done on one server where the uniqueness of the uid value is
> asserted.
>
> [1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication
>
>   
Yes but this significantly limits the functionality. The whole point use
of 389 is its rock solid MMR and updates done on multiple machines.


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list