On Tue, 2011-10-04 at 08:03 -0400, Stephen Gallagher wrote:
> On Fri, 2011-09-30 at 16:15 -0400, Simo Sorce wrote:
> > On Fri, 2011-09-30 at 16:02 -0400, Stephen Gallagher wrote:
> > > On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote:
> > > > How to test:
> > > > 1) Add new naming context (suffix) to your LDAP database with installed
> > > > IPA (see attached LDIF). The server should return the new suffix as the
> > > > first one. You can change with its base DN if it does not.
> > > > 2) Install IPA client against the server. ipa-client-install should the
> > > > LDAP server as the IPA one only if the patch is applied on the client
> > > >
> > > > ---
> > > >
> > > > When LDAP server contains more that one suffixes, the ipa client
> > > > installation does not detect it as IPA server and fails to install.
> > > > Fix ipa server discovery so that it correctly searches all naming
> > > > contexts for the IPA one.
> > > >
> > > > https://fedorahosted.org/freeipa/ticket/1868
> > >
> > >
> > > Tangentially related, it would be prudent for FreeIPA server
> > > installations to set not only namingContexts but also the
> > > defaultNamingContext. This way, clients autodetecting the ldap search
> > > base from the RootDSE will have an unambiguous way to do so (in the
> > > event that multiple namingContexts have been added)
> > Please CC yourself here to be notified when this will be available in
> > DS: https://bugzilla.redhat.com/show_bug.cgi?id=742317
> I'd like to add some more information on this (which I also just opened
> as upstream ticket https://fedorahosted.org/freeipa/ticket/1919).
> Right now, FreeIPA is set up with a single namingContexts, which is the
> 'dc=example,dc=com' root of the LDAP tree. The problem is that this
> search domain encompasses both the standard cn=accounts and the
> cn=compat trees. This means that SSSD, if set up as an RFC2307bis client
> instead of a full ipa-client-install (which explicitly sets the search
> base to cn=accounts) cannot safely auto-detect the search base to use.
> I think that FreeIPA should ship with the following settings in the
> defaultNamingContext: cn=accounts,dc=example,dc=com
> namingContexts: dc=example,dc=com
> namingContexts: cn=accounts,dc=example,dc=com
> and if compat mode is also enabled:
> namingContexts: cn=compat,dc=example,dc=com
> This will allow us to auto-detect in a sane way, as well as allowing us
> to easily communicate to clients that compat mode is or is not enabled.
The best way out here is to move cn=compat into it's base imho.
We've had other issues in the past so I think we should really move
cn=compat to it's own base called just 'cn=compat'.
We should expose it as a namingContext of course so we should wait until
DS implements the option to have defaultNamingContext.
So we can point defaultNamingContext to the regualr base DN.
We probably also need to make this configurable at this point as we need
to not break existing setups at upgrade time (replicas need the info too
at replication time, so this option should be something we have in the
replicated tree imho).
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list