[Freeipa-devel] Ubuntu interests in FreeIPA
nkinder at redhat.com
Tue Jul 28 05:51:01 UTC 2009
On 07/22/2009 11:11 AM, Mathias Gug wrote:
> Sorry for not following up earlier on this, but this topic has been
> recently brought on the Ubuntu freeipa team mailing list 
> : https://lists.launchpad.net/freeipa/msg00009.html
> Here are my comments mainly related to supporting openldap instead of
> 389DS in FreeIPA:
> On Tue, Jun 30, 2009 at 9:30 AM, Simo Sorce<ssorce at redhat.com> wrote:
>> On Mon, 2009-06-29 at 19:20 -0400, Mathias Gug wrote:
>>> * replace 389 Directory Server with openldap.
>>> The main reason being that the 389 Directory server is not available in
>>> the Ubuntu archive yet (there is a work in progress to get it included
>>> in Debian/Ubuntu) while openldap is already in the archive and the
>>> currently recommended directory solution in Ubuntu.
>>> My question is how tight are FreeIPA and 389 Directory Server coupled?
>> Very, we use many features of 389DS and a good amount of plugins not
>> available for openldap. It would require a quite substantial amount of
>> work and testing just to port the slapi plugins.
> * ipa-memberof: IPA memberof plugin
> There is a similar overlay in openldap:
> The memberof overlay to slapd(8) allows automatic reverse group member‐
> ship maintenance. Any time a group entry is modified, its members are
> modified as appropriate in order to keep a DN-valued "is member of"
> attribute updated with the DN of the group.
My understanding is that the memberOf overlay does not deal with nested
It is strictly a 1:1 relationship (forward pointer, reverse pointer).
memberOf plug-in maintains reverse pointers for inherited membership,
takes advantage of.
Take this with a grain of salt as I haven't confirmed this by looking at the
overlay code personally.
> Mathias Gug
> Ubuntu Developer http://www.ubuntu.com
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
More information about the Freeipa-devel