[Freeipa-devel] Ubuntu interests in FreeIPA

[Dmitri Pal]

> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>
>  * dna: Distributed Numeric Assignment plug-in
>
> I don't know of an openldap plugin providing the same functionality.
>
> However one solution could be to use the uniq overlay to make sure the
> uids are unique:
>
>       The  Attribute  Uniqueness  overlay can be used with a backend database
>       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
>       attributes  within a scope. This subtree defaults to all objects within
>       the subtree of the database for which the Uniqueness overlay is config‐
>       ured.
>
>       For example, if uniqueness were enforced
>       for the uid attribute, the subtree would  be  searched  for  any  other
>       records  which  also have a uid attribute containing the same value. If
>       any are found, the request is rejected.
>
> That would also require some modification in the administration tools
> by pushing the logic to generate a new user id from the slapd server
> to the administration tools. The code responsible for creating a new
> user should take into account the possibility that the ldap add
> operation might fail because of an existing uid and update the uid
> accordingly before retrying.
>
>   
You need to take replication into the account. The DNA plugin guarantees
uniqueness across the whole deployment, not just one server.
AFAIK the replication in OpenLDAP is done differently and the DNA plugin
does the range negotiation between replicas as a part of the replication
protocol.
 



-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/