[Freeipa-users] compat plug-in and replication
Stephen Ingram
sbingram at gmail.com
Fri Mar 16 20:06:36 UTC 2012
On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
>
> I've seen mention about the compat plug-in causing issues with
> replication. In my 2.1.4 installation I notice that the plug-in is
> turned on by default. Is compat only required for those supporting NIS
> or does it serve another purpose. As I don't use NIS, I'm just
> wondering if it's safe to turn off.
>
> To compliment what Rob mentioned...
>
> Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA.
>
> Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created.
>
> This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins.
>
> Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA.
Glad you mentioned this. I would have turned it off just to save
space, but I do need sudo. This makes more sense as to why its enabled
by default. Very clever design too to hide the complexity from the
user.
Steve
More information about the Freeipa-users
mailing list