[Freeipa-devel] How to implement Magic Private Groups in FreeIPA ?

Fri Nov 13 15:51:06 UTC 2009

On Fri, 2009-11-13 at 10:30 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2009-11-12 at 10:37 -0500, Dmitri Pal wrote:
> >>> So killing two birds with one stone we are thinking of introducing a
> >> new
> >>> attribute called posixName that has a case sensitive syntax and does
> >> not
> >>> conflict with other uses of uid and cn. We will probably still set
> >> uid
> >>> on users and cn on groups but they will be kept in sync with
> >> posixName
> >>> (except for cn on user accounts that holds the full name).
> >>>
> >>>   
> >> So posixName will be a part of the user account object and group
> >> object,
> >> right?
> >> Can you please add more details here?
> > 
> > Correct,
> > we would switch to primarily use posixName for users and groups names.
> > 
> > A group entry would probably look like this (from memory):
> > 
> > cn=newgroup,cn=groups,cn=accounts,dc=example,dc=com
> > objectclass: nestedgroup
> > objectclass: posixGroup
> > objectclass: ipaPosixName
> > cn: newgroup
> > posixName: newgroup
> > member: ...
> > member: ...
> > 
> > 
> > When searching for this group we would use a query like:
> > '(&(objectClass=posixGroup)(posixName=newgroup))'
> > 
> > Same for users.
> > 
> > Simo.
> > 
> > 
> 
> FYI, here is the new schema I've come up with:
> 
> dn: cn=schema
> attributeTypes: ( 2.16.840.1.113730.3.8.3.54 NAME 'posixName' EQUALITY 
> caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
> objectClasses: ( 2.16.840.1.113730.3.8.3.55 NAME 'ipaPosixName' DESC 
> 'Case-sensitive name common to users and groups' AUXILIARY MUST ( 
> posixName ) X-ORIGIN 'IPA v2' )
> 
> It also occurs to me that we'll need to prevent any modifications to the 
> posixName attribute unless the cn/uid is also being modified. On other 
> word, sync needs to be 2-way.

Yes, these attributes need to be "linked" somehow.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York