[Freeipa-devel] [RFE] User Life-Cycle Management
Nathan Kinder
nkinder at redhat.com
Thu Sep 26 16:36:13 UTC 2013
On 09/26/2013 05:32 AM, Martin Kosek wrote:
> Hello developers!
>
> I prepared a first draft of User Life-Cycle Management feature, which should
> appear in later FreeIPA release.
>
> http://www.freeipa.org/page/V3/User_Life-Cycle_Management
>
> There are still open questions, the main one from my perspective is if the
> staged users should be stored in our main LDAP database/suffix or the alternate
> one. Both have pros and cons, I tried to list them in the design page.
In my research, I found that some of the 389 DS plug-ins that are used
by FreeIPA still operate across multiple backend suffixes. For example,
referential integrity always applies to all backends. This means that
there is plug-in work to do in 389 DS regardless of using separate
backends, or the alternate tree in the same backend. There is less
plug-in work if we use a separate backend, but I still feel that the
other cons with using a separate backend make the use of a single
backend more attractive.
Thanks,
-NGK
>
> Keeping it in a separated suffix may allow less difficult maintenance of old
> and new FreeIPA servers as old FreeIPA servers and plugins (like ipa-kdb) will
> not see the staged users. But there are higher replication agreement and other
> costs connected with this approach.
>
> Comments, feedback is very welcome.
>
> Martin
More information about the Freeipa-devel
mailing list