[Freeipa-devel] FreeIPA and per-machine views

[Simo Sorce]

On Thu, 2011-09-22 at 09:04 -0400, John Dennis wrote:
> On 09/21/2011 10:07 PM, Stephen Gallagher wrote:
> > I've ben working on the multiple search base feature in SSSD and I've
> > had some thoughts that might be relevant to the FreeIPA v3 core
> > effort. The idea behind multiple search bases is fairly simple;
> > instead of simply checking one subtree for user or group information,
> > you check several in series, stopping at the first match.
> 
> Seems like a good idea to me.
> 
> I presume it would not be a list of search bases to be applied to just 
> one server but rather a list of <server,base> tuples.
> 
> As an implementation and use issue I would think you would want some 
> mechanism by which the <server,base> was returned with the result so 
> that some business logic could be applied based on which base produced 
> the result.

I wanted to do this for a while, esp to make migrations simpler when you
are trying to aggregate multiple old domains (like NIS domains) into a
single directory.

Other products do similar things with AD already.
The idea would be not only to have additional users/groups but also to
be able to override only single attributes of a user/group like for
example only the name, only the uid/gid, only the home directory etc...

But ti requires quite some effort to do it right and in a way that will
not make things go easily out of control, so it has always been
deferred. I think this sort of functionality could also be easily
implemented by a third, interested, party under supervision of the IPA
architecture team.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York