On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote: > ----- Original Message ----- > > > > > > > > We had a brief discussion on unifying the PKI and IPA Directory > > Server instances. Here are my notes from it. Please fill out the > > details and correct me if I've mis-stated anything below. > > > > > > Issues: > > > > > > > > Do IPA and PKI use different suffixes?
Currently not as we use completely separate instances, but we will be able to use different suffixes for some stuff. > > > > 1. > > > > Both make changes to Config. One identified conflict is he > > configuration of the Uniqueness plugin > > It may be easy to enhance this plugin and other plugins to allow different > configuration per subtree. If we confirm this conflict this will become a requirement before we can proceed. > > 2. > > > > PKI uses Directory Manager. This is insecure. Can it use a differen, > > limited admin? > > Or use ldapi? I don't think ldapjdk can use ldapi. It's a matter of trust for me. I do not want to trust PKI to have free reign on all data. I want it to be confined to only what it needs. So we can use ldapi and user mapping, but we wouldn't map the user to DM anyway. > > 3. > > > > Index strategies are different > > Use a union? e.g. if ipa needs attribute "a" indexed for equality only, but > PKI needs it indexed for presence and substring only, then we can just index > it for eq, sub, and pres. The problem here is finding out and how to make sure pki vs ds/ipa install and upgrade scripts do not stomp on each other. > > 4. > > > > make sure we have a union of the required sets of plugins > > 5. > > > > PKI needs to set D.S. Default Name context > > What is this? See my other mail, we need DS to support setting defaultNamingContext in rootdse. > > 6. > > > > If PKI uses the IPA datastore for users, it needs to creat the user > > with all the right prerequisites (object class, defaults) > > If both PKI and IPA use structural objectclasses, we may have to create > corresponding auxiliary objectclasses so that you can mix-in both sets of > objectclasses while having only one structural objectclass per entry. The problem here is much bigger, PKI simply do not have enough information to create a proper IPA user, so it should not be allowed to. This is an example of why I want to tightly control through ACIs what PKI can do and prevent it from causing "issues". Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
