[Freeipa-devel] Disabling Schema Compatibility rule
Martin Kosek
mkosek at redhat.com
Fri Mar 4 08:43:44 UTC 2016
Hi Alexander and others,
As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1].
This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older
will be able to disable the sudoers schema compatiblity tree
(cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config).
Right now, I am only aware of an attribute tu disable the whole Schema Compat
plugin (exposed via ipa-compat-manage tool), but this would not fly for people
with legacy clients reading from Compat tree.
I am thinking, is there an easy way we can recommend to admins on how to do
disable just certain Schema Compatibility rules? Ideally having a config
options something like:
schema-compat-enabled: on|off
That could be changed via ldapmodify.
[1] https://fedorahosted.org/sssd/ticket/1108
--
Martin Kosek <mkosek at redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
More information about the Freeipa-devel
mailing list