[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] Ubuntu interests in FreeIPA

Mathias Gug wrote:
> On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
>>> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>>>  * dna: Distributed Numeric Assignment plug-in
>>> I don't know of an openldap plugin providing the same functionality.
>>> However one solution could be to use the uniq overlay to make sure the
>>> uids are unique:
>>>       The  Attribute  Uniqueness  overlay can be used with a backend database
>>>       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
>>>       attributes  within a scope. This subtree defaults to all objects within
>>>       the subtree of the database for which the Uniqueness overlay is configā€
>>>       ured.
>>>       For example, if uniqueness were enforced
>>>       for the uid attribute, the subtree would  be  searched  for  any  other
>>>       records  which  also have a uid attribute containing the same value. If
>>>       any are found, the request is rejected.
>>> That would also require some modification in the administration tools
>>> by pushing the logic to generate a new user id from the slapd server
>>> to the administration tools. The code responsible for creating a new
>>> user should take into account the possibility that the ldap add
>>> operation might fail because of an existing uid and update the uid
>>> accordingly before retrying.
>> You need to take replication into the account. The DNA plugin guarantees
>> uniqueness across the whole deployment, not just one server.
>> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
>> does the range negotiation between replicas as a part of the replication
>> protocol.
> Right. One proposal is to have a MirrorMode configuration [1] with the
> chain overlay configured on all slaves. That way all writes are
> eventually done on one server where the uniqueness of the uid value is
> asserted.
> [1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication
Yes but this significantly limits the functionality. The whole point use
of 389 is its rock solid MMR and updates done on multiple machines.

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]