On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote:
> ----- Original Message -----
> > We had a brief discussion on unifying the PKI and IPA Directory
> > Server instances. Here are my notes from it. Please fill out the
> > details and correct me if I've mis-stated anything below.
> > Issues:
> Do IPA and PKI use different suffixes?
Currently not as we use completely separate instances, but we will be
able to use different suffixes for some stuff.
> > 1.
> > Both make changes to Config. One identified conflict is he
> > configuration of the Uniqueness plugin
> It may be easy to enhance this plugin and other plugins to allow different
> configuration per subtree.
If we confirm this conflict this will become a requirement before we can
> > 2.
> > PKI uses Directory Manager. This is insecure. Can it use a differen,
> > limited admin?
> Or use ldapi? I don't think ldapjdk can use ldapi.
It's a matter of trust for me. I do not want to trust PKI to have free
reign on all data. I want it to be confined to only what it needs.
So we can use ldapi and user mapping, but we wouldn't map the user to DM
> > 3.
> > Index strategies are different
> Use a union? e.g. if ipa needs attribute "a" indexed for equality only, but
> PKI needs it indexed for presence and substring only, then we can just index
> it for eq, sub, and pres.
The problem here is finding out and how to make sure pki vs ds/ipa
install and upgrade scripts do not stomp on each other.
> > 4.
> > make sure we have a union of the required sets of plugins
> > 5.
> > PKI needs to set D.S. Default Name context
> What is this?
See my other mail, we need DS to support setting defaultNamingContext in
> > 6.
> > If PKI uses the IPA datastore for users, it needs to creat the user
> > with all the right prerequisites (object class, defaults)
> If both PKI and IPA use structural objectclasses, we may have to create
> corresponding auxiliary objectclasses so that you can mix-in both sets of
> objectclasses while having only one structural objectclass per entry.
The problem here is much bigger, PKI simply do not have enough
information to create a proper IPA user, so it should not be allowed to.
This is an example of why I want to tightly control through ACIs what
PKI can do and prevent it from causing "issues".
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list