Simo Sorce wrote:
On Thu, 2009-11-12 at 10:37 -0500, Dmitri Pal wrote:So killing two birds with one stone we are thinking of introducing anewattribute called posixName that has a case sensitive syntax and doesnotconflict with other uses of uid and cn. We will probably still setuidon users and cn on groups but they will be kept in sync withposixName(except for cn on user accounts that holds the full name).So posixName will be a part of the user account object and group object, right? Can you please add more details here?Correct, we would switch to primarily use posixName for users and groups names. A group entry would probably look like this (from memory): cn=newgroup,cn=groups,cn=accounts,dc=example,dc=com objectclass: nestedgroup objectclass: posixGroup objectclass: ipaPosixName cn: newgroup posixName: newgroup member: ... member: ... When searching for this group we would use a query like: '(&(objectClass=posixGroup)(posixName=newgroup))' Same for users. Simo.
FYI, here is the new schema I've come up with: dn: cn=schemaattributeTypes: ( 2.16.840.1.1137188.8.131.52.54 NAME 'posixName' EQUALITY caseExactMatch SYNTAX 184.108.40.206.4.1.14220.127.116.11.15 SINGLE-VALUE) objectClasses: ( 2.16.840.1.113718.104.22.168.55 NAME 'ipaPosixName' DESC 'Case-sensitive name common to users and groups' AUXILIARY MUST ( posixName ) X-ORIGIN 'IPA v2' )
It also occurs to me that we'll need to prevent any modifications to the posixName attribute unless the cn/uid is also being modified. On other word, sync needs to be 2-way.
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel