On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote:
> ----- Original Message -----
> > 
> > 
> > 
> > We had a brief discussion on unifying the PKI and IPA Directory
> > Server instances. Here are my notes from it. Please fill out the
> > details and correct me if I've mis-stated anything below.
> > 
> > 
> > Issues:
> > 
> > 
> > 
> Do IPA and PKI use different suffixes?

Currently not as we use completely separate instances, but we will be
able to use different suffixes for some stuff.

> > 
> >     1.
> > 
> > Both make changes to Config. One identified conflict is he
> > configuration of the Uniqueness plugin
> It may be easy to enhance this plugin and other plugins to allow different 
> configuration per subtree.

If we confirm this conflict this will become a requirement before we can

> >     2.
> > 
> > PKI uses Directory Manager. This is insecure. Can it use a differen,
> > limited admin?
> Or use ldapi?  I don't think ldapjdk can use ldapi.

It's a matter of trust for me. I do not want to trust PKI to have free
reign on all data. I want it to be confined to only what it needs.

So we can use ldapi and user mapping, but we wouldn't map the user to DM

> >     3.
> > 
> > Index strategies are different
> Use a union?  e.g. if ipa needs attribute "a" indexed for equality only, but 
> PKI needs it indexed for presence and substring only, then we can just index 
> it for eq, sub, and pres.

The problem here is finding out and how to make sure pki vs ds/ipa
install and upgrade scripts do not stomp on each other.

> >     4.
> > 
> > make sure we have a union of the required sets of plugins
> >     5.
> > 
> > PKI needs to set D.S. Default Name context
> What is this?

See my other mail, we need DS to support setting defaultNamingContext in

> >     6.
> > 
> > If PKI uses the IPA datastore for users, it needs to creat the user
> > with all the right prerequisites (object class, defaults)
> If both PKI and IPA use structural objectclasses, we may have to create 
> corresponding auxiliary objectclasses so that you can mix-in both sets of 
> objectclasses while having only one structural objectclass per entry.

The problem here is much bigger, PKI simply do not have enough
information to create a proper IPA user, so it should not be allowed to.
This is an example of why I want to tightly control through ACIs what
PKI can do and prevent it from causing "issues".


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to