[Freeipa-users] Extending schema

Dmitri Pal dpal at redhat.com
Wed Oct 19 17:53:05 UTC 2011 

On 10/16/2011 04:53 PM, Sigbjorn Lie wrote:
> On 10/14/2011 03:14 PM, Jenny Galipeau wrote:
>>
>> ----- Original Message -----
>>> On Thu, 2011-10-13 at 15:44 +0200, Sigbjorn Lie wrote:
>>>> Hi,
>>>>
>>>> What is your recommendations for avoiding incompatability with
>>>> future upgrades of IPA if extending
>>>> the dirsrv schema and adding custom objects to the LDAP server is
>>>> required? What considerations
>>>> and precautions should be taken?
>>>>
>>>> Such as adding RBAC support for Solaris clients...
>>> Additional schema is unlikely to cause issues if it does not conflict
>>> with standard schema. We also tend to prefix all the
>>> attributes/objectlasses we create for FreeIPA so name clashes are
>>> unlikely.
>>> If it is custom schema I suggest you to prefix names appropriately
>>> too,
>>> so you have your own 'namespace'.
>>>
>>> As for placement I suggest you put this data in a separate container
>>> from standard FreeIPA stuff for new objects.
>>>
>>> In the base DN create a container named something like your company
>>> name
>>> or ticker: cn=ACME,<suffix>  and put all your customized entries
>>> there.
>>>
>>> Attaching additional data to users is not a big deal for custom
>>> schema.
>>> If it is not custom schema but standard schema not currently used by
>>> FreeIPA I would be a little bit more careful as a following version
>>> of
>>> FreeIPA might conceivably start using those attributes, and there is
>>> generally enough space to use them in a sort of 'incompatible' way.
>>>
>>> But don't let that stop you if you really need it.
>> Please note that when adding additional objectclasses to users and/or
>> group etc ... if there are required attributes in the new
>> objectclasses, you will no longer be able to add these objects from
>> Web UI and you will not be able to define values for the new
>> attributes introduced from the Web UI withoutcustomization.  You will
>> have to use the CLI and the --setattr option with the command.
>
> Thank you both, I will keep that in mind.
>
> Since Solaris RBAC is what I need at this point, is there any plans of
> including support for Solaris' RBAC at some point?

No, not really. We found that very limiting for different applications
and RBAC model is very different depending on the context and resources
being deal with by the app.
So we decided not to spend time on this effort but contributions are
always welcome ;-)

>
>
> Regards,
> Siggi
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list