On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote:
> 
> > Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
> >
> >  * dna: Distributed Numeric Assignment plug-in
> >
> > I don't know of an openldap plugin providing the same functionality.
> >
> > However one solution could be to use the uniq overlay to make sure the
> > uids are unique:
> >
> >       The  Attribute  Uniqueness  overlay can be used with a backend 
> > database
> >       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  
> > all
> >       attributes  within a scope. This subtree defaults to all objects 
> > within
> >       the subtree of the database for which the Uniqueness overlay is 
> > configā€
> >       ured.
> >
> >       For example, if uniqueness were enforced
> >       for the uid attribute, the subtree would  be  searched  for  any  
> > other
> >       records  which  also have a uid attribute containing the same value. 
> > If
> >       any are found, the request is rejected.
> >
> > That would also require some modification in the administration tools
> > by pushing the logic to generate a new user id from the slapd server
> > to the administration tools. The code responsible for creating a new
> > user should take into account the possibility that the ldap add
> > operation might fail because of an existing uid and update the uid
> > accordingly before retrying.
> >
> >   
> You need to take replication into the account. The DNA plugin guarantees
> uniqueness across the whole deployment, not just one server.
> AFAIK the replication in OpenLDAP is done differently and the DNA plugin
> does the range negotiation between replicas as a part of the replication
> protocol.
>  

Right. One proposal is to have a MirrorMode configuration [1] with the
chain overlay configured on all slaves. That way all writes are
eventually done on one server where the uniqueness of the uid value is
asserted.

[1]: 
http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to