[Freeipa-users] 389-ds to free-ipa transition; transparent?
Dmitri Pal
dpal at redhat.com
Thu Sep 2 21:00:27 UTC 2010
Brian LaMere wrote:
> On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Brian LaMere wrote:
>
> Yes, if not easier. It is just 389-ds under the hood, we have
> some simple management tools that create the agreements for
> you. Since we use our own CA SSL is easy as well.
>
>
> if I already have certs for the servers that would be running the IPA,
> would it be easy enough to use those? I ask because my gold images
> come out of the box already trusting my ldap servers, which means
> using someone else's CA can potentially be a concern. That's not a
> show-stopper, because I can work around that anyway.
I think you can use the certs that you already have.
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
http://www.freeipa.org/page/Administrators_Guide#Managing_Certificates_and_Certificate_Authorities
If you need more details you need to wait a bit for Rob to get back from
leave.
>
>
> Depending on your configuration the data migration should be
> relatively straightforward but know that the IPA DIT is completely
> flat. All users are in one container, groups in another, etc.
>
>
> I have to admit that while I'm very good at some things, I was only
> "ok" with ldap way back long long ago when I did anything with it. I
> just created a custom schema with a couple hundred attributeTypes and
> a couple dozen objectclasses so that I can manage a lot of different
> things within ldap (single point of pluggable info to allow an
> object-oriented framework, independent of what tools are used). So
> when I read your "the IPA DIT is completely flat" statement I got a
> bit worried. Much of what I am doing will be far more difficult if I
> can't give texture to things, and my understanding is that a
> "completely flat DIT" is very difficult to create good aci's against.
>
> I know that the obvious answer is to just install it, and look and see
> if it does what I want anyway ;) But without spending time to do
> that...if I leave the users/groups in their current flat places, could
> I add texture to the DIT elsewhere (aci's are almost vital for what
> I'm doing; I want to expose methods, which means I can't just "trust"
> tools or hosts) without causing problems for FreeIPA?
>
> It's a lazy bred not out of laziness of not wanting to just experiment
> and test myself, but out of having a high workload; I'd like to use
> FreeIPA, and am just wondering if the above question has an obvious
> answer that doesn't even need to be tested.
>
The ACIs are defined inside the underlaying Directory Server. See
details and syntax are here
http://directory.fedoraproject.org/wiki/Howto:AccessControl
The ACIs as you see can be group based. One does not need a hierarchical
"ou" user structure in the DS for ACIs - just groups. So all the users
live in one container without any hierarchy. All the hierarchy can be
accomplished by creating a combination of nested groups. Groups live in
another container but on the same level. This is what we mean by "flat
tree".
> Thanks,
> Brian LaMere
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list