On Wed, Jul 22, 2009 at 04:44:49PM -0400, Dmitri Pal wrote: > > > Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins: > > > > * dna: Distributed Numeric Assignment plug-in > > > > I don't know of an openldap plugin providing the same functionality. > > > > However one solution could be to use the uniq overlay to make sure the > > uids are unique: > > > > The Attribute Uniqueness overlay can be used with a backend > > database > > such as slapd-bdb(5) to enforce the uniqueness of some or > > all > > attributes within a scope. This subtree defaults to all objects > > within > > the subtree of the database for which the Uniqueness overlay is > > configā > > ured. > > > > For example, if uniqueness were enforced > > for the uid attribute, the subtree would be searched for any > > other > > records which also have a uid attribute containing the same value. > > If > > any are found, the request is rejected. > > > > That would also require some modification in the administration tools > > by pushing the logic to generate a new user id from the slapd server > > to the administration tools. The code responsible for creating a new > > user should take into account the possibility that the ldap add > > operation might fail because of an existing uid and update the uid > > accordingly before retrying. > > > > > You need to take replication into the account. The DNA plugin guarantees > uniqueness across the whole deployment, not just one server. > AFAIK the replication in OpenLDAP is done differently and the DNA plugin > does the range negotiation between replicas as a part of the replication > protocol. >
Right. One proposal is to have a MirrorMode configuration [1] with the chain overlay configured on all slaves. That way all writes are eventually done on one server where the uniqueness of the uid value is asserted. [1]: http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replication -- Mathias Gug Ubuntu Developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel