Simo Sorce wrote:
On Thu, 2009-11-12 at 10:37 -0500, Dmitri Pal wrote:
So killing two birds with one stone we are thinking of introducing a
new
attribute called posixName that has a case sensitive syntax and does
not
conflict with other uses of uid and cn. We will probably still set
uid
on users and cn on groups but they will be kept in sync with
posixName
(except for cn on user accounts that holds the full name).

So posixName will be a part of the user account object and group
object,
right?
Can you please add more details here?

Correct,
we would switch to primarily use posixName for users and groups names.

A group entry would probably look like this (from memory):

cn=newgroup,cn=groups,cn=accounts,dc=example,dc=com
objectclass: nestedgroup
objectclass: posixGroup
objectclass: ipaPosixName
cn: newgroup
posixName: newgroup
member: ...
member: ...


When searching for this group we would use a query like:
'(&(objectClass=posixGroup)(posixName=newgroup))'

Same for users.

Simo.



FYI, here is the new schema I've come up with:

dn: cn=schema
attributeTypes: ( 2.16.840.1.113730.3.8.3.54 NAME 'posixName' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) objectClasses: ( 2.16.840.1.113730.3.8.3.55 NAME 'ipaPosixName' DESC 'Case-sensitive name common to users and groups' AUXILIARY MUST ( posixName ) X-ORIGIN 'IPA v2' )

It also occurs to me that we'll need to prevent any modifications to the posixName attribute unless the cn/uid is also being modified. On other word, sync needs to be 2-way.

rob

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to