[Freeipa-devel] where should the BindDNGroup be located
Simo Sorce
simo at redhat.com
Mon Nov 24 18:57:01 UTC 2014
On Mon, 24 Nov 2014 13:14:06 -0500
Rob Crittenden <rcritten at redhat.com> wrote:
> Ludwig Krispenz wrote:
> > in DS we implemented the feature that in a replica objetct it is
> > possible to define a group of bind dns, instead or in addition to
> > the use of nsds5ReplicaBindDn. This allows to maintain a group of
> > ldap principals ad add new replication agreements without having to
> > modify the replication object.
> > I want to use it in the topology plugin an it will probably be used
> > in the 4.2 replioca deployment.
> >
> > So to start with, if I create this group where should it be located
> > in the shared tree: below "cn=ipa,cn=etc,$SUFFIX" ? inside
> > cn=masters or cn=replicas or in a new container (the replication
> > topology info is in cn=topology, cn=ipa,cn=etc,... ) or in
> > cn=groups,cn=accounts,... ?
>
> Can you just use a hostgroup for this?
>
> We'd probably want a bit more access control around that particular
> group though.
Probably not, the group will have the ldap/ service principals as
members, not the host/ principals (and we need a separate group for the
host/ principals probably).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list