[Freeipa-users] whats the recommended way to change OU structures in IPA?

Dale Macartney dale at themacartneyclan.com
Mon Aug 6 16:49:34 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 06/08/12 16:22, John Dennis wrote:
> On 08/06/2012 11:07 AM, Dale Macartney wrote:
>> Although I can use any ldapmodify capable tool to do this, I was
>> wondering what the "recommended" way that we should be telling customers
>> who want to change OU trees?
>>
>> e.g, say in a high school using IPA, they wished to create a parent OU
>> called cn=school accounts,dc=example,dc=com and inside that OU there are
>> two more OU's. One for staff and one for students?
>>
>> Presumably this is not possible through the webUI.
>>
>> Also what are the implications if I move a user that was created with
>> "ipa user-add" into a non-default OU? will it break anything? Whats the
>> best way to move an existing user into one of the above OU's?
>
> IPA only supports flat name spaces, you cannot partition the default
containers. This was an early IPA design decision.
>
> If you use ldapmodify to move entries it will break your IPA installation.
Oh that sounds fun ;-)
>
> You can however assign users, hosts, etc. to groups. Then use group
membership to control how a particular group of users behaves. It's easy
to automate group membership via automember.
I agree with using Groups instead of OU's for for application roles to
be honest. I find it much neater. I was curious for certain software
that does not make it very easy to use groups instead of OU's..
Thanks for giving me more firepower when asking them to raise an RFE ;-).



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQH/WcAAoJEAJsWS61tB+q/B8QAJIhywkZqWVohykzqBT9CvLH
e2f462HySAQFNyarJ42p16lXai92F7sWS8o6L5N5B25oBJCHrBUsza95wn+BGiq8
W2qI0KZw22TPEMrF4Sl/TO4HnNPht+gkPtO9bAYxeE/l/m3I3CNIVA4AKDJAZtP9
7d1BveT+pXtyF85+5ncwEtNwETe77mDvwnCVkZW/nc2F8Dwf45QCDLync52oEJxG
J4McW1pxAdpad6MXHWrVxvQSwJtisNxKV3L/Biq453ISX+e/EXp4qZ1cvhwhq+7+
Gz7cnOnRO6co8ArI2BHhCNKGbVGOhFb8f8AHPKg0DyMytU78RJYUwgTt6zshn2cW
bSXFvh/64CrQ88boGutdf9Z30LQ6932k12tJbvxAs4hgirQBLyAZS7b8bRqGJQLl
oEx6j9Z+mBy7rzKbmmvdQhtb5ovG6dt1iOWkJZeHVwUtIroP4NYGItZK8qw4DdGX
crK+bPK/E5BpNGTIIvSXYhml9IDPH3k5ulS3MfRnSQjXe4jcXE8eXSsfb+IC9M9O
IRYg3mp0LG8D5jMAUxwPTx6GlRb3l43Mg3Zo4yR80qrAaANC+1vPFk7bEm1BLSzs
KPP9Ryqa/I57Twf+tXrJtcQo/14qMzcToFr+q81eX0paxrCvYflZSf7v6nvVnohs
9ngrnlk1VZpWAahC0zhm
=av31
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120806/6c7bbaf8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120806/6c7bbaf8/attachment.sig>

More information about the Freeipa-users mailing list