[Freeipa-users] Auto membership plugin
Nathan Kinder
nkinder at redhat.com
Wed Mar 30 14:31:14 UTC 2011
On 03/30/2011 06:32 AM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Hello,
>>
>> Please find the design for the auto membership plugin:
>> https://fedorahosted.org/freeipa/ticket/753
>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design
>>
>> I have some comments and questions:
>> 1) Is the AND functionality for inclusion criteria required?
>> 2) How the attributes are escaped? Do they need to? Probably there will
>> be cases when they should be escaped
>> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is
>> any way to avoid it?
>> 4) I have concerns about the UI and CLI, do you see any good ways to
>> mange such entries?
>>
>
> Because the configuration is stored in cn=config we would need to bind
> as DM to be able to manage it (unless we want to make an exception and
> allow writing here. Could a bad config could prevent 389-ds from
> starting).
No. Similar to a bad DNA or managed entry setup, an error would be
logged and the bad config entry would be skipped.
>
> I assume a restart would be needed whenever a configuration change is
> made?
Only enabling the plug-in at the top level, which we could enabled by
default. The definition entry changes would be dynamic.
>
> What happens if the target in automembertargetgroup gets removed?
I still need to fill in the "Behavior" section in the design doc, but
this plug-in is not a referential integrity plug-in. It simply monitors
ADD operations and updates the membership accordingly. Nothing is done
for MOD, DEL, or MODRDN operations.
-NGK
>
> rob
More information about the Freeipa-users
mailing list