On Thu, 2011-09-22 at 21:55 -0400, Dmitri Pal wrote: > I do not think we want to deal with multiple subtrees of users in the > same IPA instance. We already decided against it in the past when we > flattened the tree. At least I am not convinced that this is actually > needed. I am actually aware of one more use case why people do > different > subtrees for users. It is because they have duplication of the > uid/gid. > Though it is bad it is a reality that people deal with. And they deal > with it by having subtrees in DS. But it will not help in our case as > IPA is built with the notion of the unified uid/gid namespace. The > only > thing will help in both cases is different IPA domains with trust > relations so I suggest we focus on that part rather than support of > multiple subtrees for users. If IPA trusts still do not work for the > user may be staying with a free from DS server is a better choice.
I think we can have overrides for users too, but like for group I am absolutely against them being "normal" objects. Overrides should be clearly identifiable as such and should generally not be usable as regular users/groups in software that is not explicitly built to understand them, otherwise chaos will ensue. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel