[Freeipa-users] support for rfc2307AIX schema in IPA server

Michael Ströder michael at stroeder.com
Wed Feb 22 20:02:42 UTC 2017 

Iulian Roman wrote:
> On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <michael at stroeder.com
> <mailto:michael at stroeder.com>> wrote:
> 
>     Iulian Roman wrote:
>     > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>     > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>     >
>     >     Iulian Roman wrote:
>     >     > Does anybody know if the rfc2307aix schema is supported in IPA server
>     >
>     >     No, it isn't supported (it's the first I've ever heard of it). Looking
>     >     at the schema I doubt it is something that would ever be fully supported.
>     >
>     > is there any possibility to extend the existing schema with additional
>     > attributes/object
> 
>     Do you really use this specific AIX schema?
>     If yes, which attributes for which purpose?
> 
> I do need the aixAuxAccount and aixAuxGroup object classes . they implement some
> password restrictions needed for security/compliance

Password policy is something best enforced centrally in the authentication server and
password management system. So IMHO this serves as perfect example for proprietary
attributes you won't need.

How is authentication done? SSH keys, Kerberos, LDAP simple bind?

> +  some other security related attributes.
> Personally i do not consider them a must - they are rather some nice to have features  -
> but i have to migrate an environment which does use them. And i would like as well to
> make the migration as transparent as possible (therefore without "missing features").

Is the existing environment also an LDAP server with this particular AIX schema?
Or are you trying to follow a migration path to LDAP suggested by IBM docs?

Being in your position I'd first compile a list of functional and security requirements
and ask then whether these requirements can be implemented with FreeIPA. I'm curious to
learn whether "some other security related attributes" are still needed after all.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/cf00984e/attachment.p7s>

More information about the Freeipa-users mailing list