[Freeipa-devel] Ubuntu interests in FreeIPA
Dmitri Pal
dpal at redhat.com
Wed Jul 22 20:44:49 UTC 2009
> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>
> * dna: Distributed Numeric Assignment plug-in
>
> I don't know of an openldap plugin providing the same functionality.
>
> However one solution could be to use the uniq overlay to make sure the
> uids are unique:
>
> The Attribute Uniqueness overlay can be used with a backend database
> such as slapd-bdb(5) to enforce the uniqueness of some or all
> attributes within a scope. This subtree defaults to all objects within
> the subtree of the database for which the Uniqueness overlay is config‐
> ured.
>
> For example, if uniqueness were enforced
> for the uid attribute, the subtree would be searched for any other
> records which also have a uid attribute containing the same value. If
> any are found, the request is rejected.
>
> That would also require some modification in the administration tools
> by pushing the logic to generate a new user id from the slapd server
> to the administration tools. The code responsible for creating a new
> user should take into account the possibility that the ldap add
> operation might fail because of an existing uid and update the uid
> accordingly before retrying.
>
>
You need to take replication into the account. The DNA plugin guarantees
uniqueness across the whole deployment, not just one server.
AFAIK the replication in OpenLDAP is done differently and the DNA plugin
does the range negotiation between replicas as a part of the replication
protocol.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list