[Freeipa-devel] FreeIPA and per-machine views

[Simo Sorce]

On Thu, 2011-09-22 at 21:55 -0400, Dmitri Pal wrote:
> I do not think we want to deal with multiple subtrees of users in the
> same IPA instance. We already decided against it in the past when we
> flattened the tree. At least I am not convinced that this is actually
> needed. I am actually aware of one more use case why people do
> different
> subtrees for users. It is because they have duplication of the
> uid/gid.
> Though it is bad it is a reality that people deal with. And they deal
> with it by having subtrees in DS. But it will not help in our case as
> IPA is built with the notion of the unified uid/gid namespace. The
> only
> thing will help in both cases is different IPA domains with trust
> relations so I suggest we focus on that part rather than support of
> multiple subtrees for users. If IPA trusts still do not work for the
> user may be staying with a free from DS server is a better choice. 

I think we can have overrides for users too, but like for group I am
absolutely against them being "normal" objects. Overrides should be
clearly identifiable as such and should generally not be usable as
regular users/groups in software that is not explicitly built to
understand them, otherwise chaos will ensue.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York