[Freeipa-devel] Ubuntu interests in FreeIPA
Dmitri Pal
dpal at redhat.com
Wed Jul 22 22:07:41 UTC 2009
Mathias Gug wrote:
> On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
>
>>> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>>>
>>> * dna: Distributed Numeric Assignment plug-in
>>>
>>> I don't know of an openldap plugin providing the same functionality.
>>>
>>> However one solution could be to use the uniq overlay to make sure the
>>> uids are unique:
>>>
>>> The Attribute Uniqueness overlay can be used with a backend database
>>> such as slapd-bdb(5) to enforce the uniqueness of some or all
>>> attributes within a scope. This subtree defaults to all objects within
>>> the subtree of the database for which the Uniqueness overlay is config‐
>>> ured.
>>>
>>> For example, if uniqueness were enforced
>>> for the uid attribute, the subtree would be searched for any other
>>> records which also have a uid attribute containing the same value. If
>>> any are found, the request is rejected.
>>>
>>> That would also require some modification in the administration tools
>>> by pushing the logic to generate a new user id from the slapd server
>>> to the administration tools. The code responsible for creating a new
>>> user should take into account the possibility that the ldap add
>>> operation might fail because of an existing uid and update the uid
>>> accordingly before retrying.
>>>
>>>
>>>
>> You need to take replication into the account. The DNA plugin guarantees
>> uniqueness across the whole deployment, not just one server.
>> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
>> does the range negotiation between replicas as a part of the replication
>> protocol.
>>
>>
>
> Right. One proposal is to have a MirrorMode configuration [1] with the
> chain overlay configured on all slaves. That way all writes are
> eventually done on one server where the uniqueness of the uid value is
> asserted.
>
> [1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication
>
>
Yes but this significantly limits the functionality. The whole point use
of 389 is its rock solid MMR and updates done on multiple machines.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list