On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote: > On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote: > > On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote: > > > How to test: > > > 1) Add new naming context (suffix) to your LDAP database with installed > > > IPA (see attached LDIF). The server should return the new suffix as the > > > first one. You can change with its base DN if it does not. > > > 2) Install IPA client against the server. ipa-client-install should the > > > LDAP server as the IPA one only if the patch is applied on the client > > > > > > --- > > > > > > When LDAP server contains more that one suffixes, the ipa client > > > installation does not detect it as IPA server and fails to install. > > > Fix ipa server discovery so that it correctly searches all naming > > > contexts for the IPA one. > > > > > > https://fedorahosted.org/freeipa/ticket/1868 > > > > > > Tangentially related, it would be prudent for FreeIPA server > > installations to set not only namingContexts but also the > > defaultNamingContext. This way, clients autodetecting the ldap search > > base from the RootDSE will have an unambiguous way to do so (in the > > event that multiple namingContexts have been added) > > Please CC yourself here to be notified when this will be available in > DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317
I'd like to add some more information on this (which I also just opened as upstream ticket https://fedorahosted.org/freeipa/ticket/1919). Right now, FreeIPA is set up with a single namingContexts, which is the 'dc=example,dc=com' root of the LDAP tree. The problem is that this search domain encompasses both the standard cn=accounts and the cn=compat trees. This means that SSSD, if set up as an RFC2307bis client instead of a full ipa-client-install (which explicitly sets the search base to cn=accounts) cannot safely auto-detect the search base to use. I think that FreeIPA should ship with the following settings in the RootDSE: defaultNamingContext: cn=accounts,dc=example,dc=com namingContexts: dc=example,dc=com namingContexts: cn=accounts,dc=example,dc=com and if compat mode is also enabled: namingContexts: cn=compat,dc=example,dc=com This will allow us to auto-detect in a sane way, as well as allowing us to easily communicate to clients that compat mode is or is not enabled.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
