[Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 25 14:14:57 UTC 2016
On ti, 25 loka 2016, Frank Munsche wrote:
>Hi guys,
>
>we are currently evaluating free-ipa. We've used the sun one ds, sun /
>oracle dsee and 389 so far. All of those are easy to customize
>respective the schema, class of service, dynamic groups,...
>Unfortunately most applications like jenkins, jira, confluence, gitblit,
>bitbucket, nexus and others don't have a native interface to
>authenticate against free-ipa. But most of them can do ldap(s) / tls
>and can connect to any ldap server with a proxy user configured. This
>way and by using class of service and dynamic groups, we were able to
>tie them to the directory and use it for authentication and sometimes
>aothorization as well.
Have you checked http://www.freeipa.org/page/HowTos ?
>As I've seen so far, the 389 as part of free-ipa is tightly coupled to
>the rest of the components and it's schema and dit are structured to
>fit the needs of ipa.
>Some questions that come into my mind:
>
>Would it be possible to extend the schema and configure the 389 ds for
>my own needs?
Everything is possible but you'll be responsible for whatever would be
done.
>Could the dit be restructured to match the logic of our
>environments?
Most likely no. The flat DIT assumptions and naming of subtrees are
encoded in FreeIPA framework.
>I remember the sun idm server which was a pretty complex product but
>gave the user lots of possible customizations of the web ui and
>included workflows. Is that possible with ipa also?
Read existing documentation.
http://www.freeipa.org/page/HowTo/Add_a_new_attribute
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
and overall links under http://www.freeipa.org/page/Documentation
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list